SeInteractiveLogonRight and SeNetworkLogonRight

I am trying to risk assess which users can login to a windows server through RDP (mstsc.exe). I have a list of user righrs assignmentS for the servers local groups, two of them are called "SeInteractiveLogonRight and SeNetworkLogonRight" - are these the rights that allow users to remote onto the server using mstsc.exe? If not - what exactly are they?
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
McKnifeConnect With a Mentor Commented:
Hi.

By default, no user may logon to a server via RDP, neither via interactive logon.
The privileges needed are SeRemoteInteractiveLogonRight  as you found out yourself ...together with SeInteractiveLogonRight however... can't be only one.

"Access this Computer from the Network" is held by every authenticated domain user by default. It is the same as SeNetworkLogonRight.
The logon type is called network logon and is used for accessing shares or other types of remote access like administrative things as we do remotely with the mmc.
0
 
pma111Author Commented:
Think I have found my own answer, i.e. SeRemoteInteractiveLogonRight is what you need to use RDP software.

What does "Access this Computer from the Network" actually mean? i.e. if every user in your network has this URA on say a windows 2003 file server, whats the risk?
0
 
McKnifeCommented:
About the risk: all dangerous things you can do remotely need remote administrative access in addition to that privilege. What can be done without admin rights is simply enumerating things that should not be of great concern. List shares, for example (not to be confused with listing the contents of the shares).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.