#4097 [RFE] Add a new mode for ad_gpo_implicit_deny
Opened 4 months ago by xsenxsenx. Modified 4 months ago

As discussed on the sssd-users list HERE, there is a need for a hardened mode of the ad_gpo_implicit_deny directive, to always only allow explicitly allowed users.

Please see the conversation from the sssd-users list below:

All I want is a way to make sure that a user, which I have not explicitly allowed access,
is denied. In other words... default behaviour for all logins should always be DENY,
regardless of number of GPOs found. Obviously, a GPO that does contain access control rules
should override this default behavior.

Right now we are forced to fall back to either "access_provider=simple" or
"ad_access_filter" just to make sure that the default behavior for logins are DENY, which unfortunately defeats the whole idea of using GPO for access control.

Any advice on how to achieve my desired functionality is appreciated.

Reply from Michal:

Currently your only way is to actually define the GPO
on the AD server. I would probably put it to a separate GPO,
something like access_control_gpo and define these rules there:

Allow log on locally
Allow log on through remote desktop sevices
Allow log on as a service
Allow log on as a batch job
Access this computer from the network

Define these rules and put Administrators group to all of them.
Then you can add whatever user/group you want to login (you are probably
mostly interested in the Allow log on locally and Allow log on through remote
desktop services if you are using default PAM to GPO rule mapping, but it is
still better to define all these rules explicitly if you really want a
complete whitelist on the server).

Or alternatively make all GPOs on the server not applicable
to the SSSD host (but I agree that this is kind of clumsy
solution if you have many GPOs, so it is better to go
with the above and define the policies).

Regarding SSSD side options.
Maybe we should add a stronger mode for ad_gpo_implicit_deny to
"only allow explicitly allowed" users/groups not only
deny access if there are no applicable GPOs. I think such
option would be good hardening option, but it would basically
ignore all Deny rules on the server (OTOH if someone wants to
allow only whitelisted users/groups they would not use deny
rules, so that is actually not a problem). Will you file
an RFE or should I? Feel free to copy paste this discussion
to the ticket.


Metadata Update from @mzidek:
- Issue assigned to mzidek

4 months ago

Login to comment on this ticket.