Solved

Why are users allowed to Logon Locally to  Member Servers by default?

Posted on 2014-11-18
8
191 Views
Last Modified: 2014-11-21
I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
0
Comment
Question by:Neadom Tucker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40451039
Hi.

If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40451112
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.

But please reference the following link

http://technet.microsoft.com/en-us/library/cc957048.aspx

and notice last statement:

"By default, there are no accounts denied the ability to logon locally."

You will have to set a GPO if you wish to change this.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40451114
Also, "McKnife" is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 6

Author Comment

by:Neadom Tucker
ID: 40451172
Oh I agree!  I am aware of the right assignment.  But no-one has answered my question.  Are you doing this?  Deny Logon Locally for the Users group?  If so,  please provide the details.  Do you do this for all servers or just some servers.  Has this broken anything?

With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 250 total points
ID: 40451211
The first and most important aspect of any security policy is the Physical Access.  Take that away and you have done more than 50% of the job.  

IF you allow unsecured, unmonitored access to servers then yes, you need to consider everything that could possibly be done and address it.  Its a simple group policy change and I am sure that in some environments its a done thing and in others its never considered due to physical security.

Why would it NOT be ok to do? If it is just a member server doing, for example file and print or serving web pages, why would LOG ON LOCALLY affect an account that is NOT logging on locally?
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 40451225
Do you know the logon types network logon vs. local logon? Taking away local logon does not break anything.
No, I don't consider it necessary to do this myself. Since DCs don't allow local logons to users, you should be able to see what the consequences are for network access: none.
0
 
LVL 6

Author Closing Comment

by:Neadom Tucker
ID: 40454724
Thanks guys.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40458369
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away.

LOL
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question