<div>
Hi.<br />
<br />
If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
</div>


<div>
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.<br />
<br />
But please reference the following link<br />
<br />
<a href="http://technet.microsoft.com/en-us/library/cc957048.aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc957048.aspx</a><br />
<br />
and notice last statement:<br />
<br />
&quot;By default, there are no accounts denied the ability to logon locally.&quot;<br />
<br />
You will have to set a GPO if you wish to change this.
</div>


<div>
Also, &quot;McKnife&quot; is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
</div>


<div>
Oh I agree! &nbsp;I am aware of the right assignment. &nbsp;But no-one has answered my question. &nbsp;Are you doing this? &nbsp;Deny Logon Locally for the Users group? &nbsp;If so, &nbsp;please provide the details. &nbsp;Do you do this for all servers or just some servers. &nbsp;Has this broken anything?<br />
<br />
With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
</div>


<div>
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away. <br />
<br />
LOL
</div>


<div>
<div class="content wysiwyg-content">
I found something interesting today and was hoping someone could point me in the right direction as to why. &nbsp;It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.<br />
<br />
I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally. &nbsp;I did this on several machines. They can not on a DC but member servers they have access to. &nbsp;I know they are not allowed for Logon Remotely.<br />
<br />
I would think this would be a security hole. &nbsp;In reading the following:<a href="http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx" rel="ugc"> http://technet.microsoft.c<wbr />om/en-us/l<wbr />ibrary/dn2<wbr />21980(v=ws<wbr />.10).aspx</a> It appears as a standard configuration. &nbsp;Is anyone out there modifying this setting? &nbsp;If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.<br />
<br />
Thanks for your insight.<br />
<br />
Tucker
</div>
</div>


I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx (http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx) It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker

Why are users allowed to Logon Locally to  Member Servers by default?

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.