Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 195
  • Last Modified:

Why are users allowed to Logon Locally to Member Servers by default?

I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
0
Neadom Tucker
Asked:
Neadom Tucker
  • 3
  • 2
  • 2
  • +1
2 Solutions
 
McKnifeCommented:
Hi.

If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
0
 
efrimpolCommented:
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.

But please reference the following link

http://technet.microsoft.com/en-us/library/cc957048.aspx

and notice last statement:

"By default, there are no accounts denied the ability to logon locally."

You will have to set a GPO if you wish to change this.
0
 
efrimpolCommented:
Also, "McKnife" is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Neadom TuckerAuthor Commented:
Oh I agree!  I am aware of the right assignment.  But no-one has answered my question.  Are you doing this?  Deny Logon Locally for the Users group?  If so,  please provide the details.  Do you do this for all servers or just some servers.  Has this broken anything?

With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
0
 
Neil RussellTechnical Development LeadCommented:
The first and most important aspect of any security policy is the Physical Access.  Take that away and you have done more than 50% of the job.  

IF you allow unsecured, unmonitored access to servers then yes, you need to consider everything that could possibly be done and address it.  Its a simple group policy change and I am sure that in some environments its a done thing and in others its never considered due to physical security.

Why would it NOT be ok to do? If it is just a member server doing, for example file and print or serving web pages, why would LOG ON LOCALLY affect an account that is NOT logging on locally?
0
 
McKnifeCommented:
Do you know the logon types network logon vs. local logon? Taking away local logon does not break anything.
No, I don't consider it necessary to do this myself. Since DCs don't allow local logons to users, you should be able to see what the consequences are for network access: none.
0
 
Neadom TuckerAuthor Commented:
Thanks guys.
0
 
efrimpolCommented:
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away.

LOL
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now