Gen18201718 Gennaio 201718 Gennaio 20170Commentidi Ermanno Goletto

Everyone vs Authenticated Users vs Domain Users

Pubblicato in Security

Vi sono situazioni in cui è necessario concedere diritti di accesso ad una risorsa agli utenti in generale, per esempio nel caso di una share di utilità in sola lettura o ad una stampante utilizzabile da tutti. In scenari come questi è possibile utilizzare i seguenti gruppi:

  • Everyone
  • Authenticated Users
  • Domain Users

Ovviamente però questi gruppi presentano fra loro delle differenze e in base alle necessità di accesso alla risorsa è consigliabile scegliere quello più restrittivo nel caso sia possibile utilizzare per le proprie necessità più di un gruppo.

Per capire quale siano gli appartenenti e le caratteristiche di ciascun gruppo è possibile fare riferimento alla KB243330 Well-known security identifiers in Windows operating systems che riporta quanto segue:

Everyone
A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2).
SID: S-1-1-0

Authenticated Users
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-11

Domain Users
A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
SID: S-1-5-21domain-513

Si noti che il gruppo Domain Users è di fatto un sotto gruppo degli Autheticated Users che a sua volta è un sotto gruppo del gruppo Everyone.

Per maggiori informazioni si vedano Active Directory Security Groups , Understanding Group Accounts, Default local groups e Special Identities da cui è possibile ricavare le seguenti ulteriori informazioni:

Everyone

This group represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is added automatically to the Everyone group.

All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.

On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).

Membership is controlled by the operating system.

Per i dettaglio sulle modifiche apportate al gruppo Everyone in Windows XP e Windows Server 2003 si faccia riferimento alla KB278259 Everyone group does not include anonymous security identifier che può essere così sintetizzata:

“In Microsoft Windows XP and in Microsoft Windows Server 2003, the Everyone group does not contain the security identifier (SID) “Anonymous.” Therefore, users or services that attempt to access an object anonymously are not granted access if the access control list (ACL) on the object includes the Everyone group. Anonymous access is only granted for objects whose ACL explicitly contains the anonymous SID.”

I membri del gruppo Everyone hanno i seguenti privilegi:

Authenticated Users

Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.

Gli Authenticated Users hanno i seguenti privilegi:

Domain Users

The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.

By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain.

I Domain Users hanno gli stessi privilegi del gruppo Users in quanto i Default members del gruppo Users sono:

  • Authenticated Users
  • Domain Users
  • INTERACTIVE

Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.

Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.

This security group includes the following changes since Windows Server 2008:

  • In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
  • In Windows Server 2012, the default Member Of list changed from Domain Users to none.

Si noti che il gruppo Users è a sua volta per default membro dei Domain Users:

Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

Sempre nella KB243330 sono riportate informazioni su altri gruppi che potrebbero meglio adattarsi a determinati scenari per evitare di concedere autorizzazioni a utenti non necessari:

Anonymous
Description: A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
SID: S-1-5-7

All Services
Description: A group that includes all service processes configured on the system. Membership is controlled by the operating system. Note Added in Windows Vista and Windows Server 2008.
SID: S-1-5-80-0

Dialup
A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-1

Network
A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.

SID: S-1-5-2

Batch
A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-3

Interactive
A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
SID: S-1-5-4

Terminal Server Users
A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
SID: S-1-5-13

Remote Interactive Logon 
A group that includes all users who have logged on through a terminal services logon.
SID: S-1-5-14

This Organization 
A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
SID: S-1-5-15

Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-21domain-515

Users
A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
SID: S-1-5-32-545