Why are users allowed to Logon Locally to Member Servers by default?

I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
LVL 6
Neadom TuckerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi.

If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
0
efrimpolCommented:
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.

But please reference the following link

http://technet.microsoft.com/en-us/library/cc957048.aspx

and notice last statement:

"By default, there are no accounts denied the ability to logon locally."

You will have to set a GPO if you wish to change this.
0
efrimpolCommented:
Also, "McKnife" is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Neadom TuckerAuthor Commented:
Oh I agree!  I am aware of the right assignment.  But no-one has answered my question.  Are you doing this?  Deny Logon Locally for the Users group?  If so,  please provide the details.  Do you do this for all servers or just some servers.  Has this broken anything?

With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
0
Neil RussellTechnical Development LeadCommented:
The first and most important aspect of any security policy is the Physical Access.  Take that away and you have done more than 50% of the job.  

IF you allow unsecured, unmonitored access to servers then yes, you need to consider everything that could possibly be done and address it.  Its a simple group policy change and I am sure that in some environments its a done thing and in others its never considered due to physical security.

Why would it NOT be ok to do? If it is just a member server doing, for example file and print or serving web pages, why would LOG ON LOCALLY affect an account that is NOT logging on locally?
0
McKnifeCommented:
Do you know the logon types network logon vs. local logon? Taking away local logon does not break anything.
No, I don't consider it necessary to do this myself. Since DCs don't allow local logons to users, you should be able to see what the consequences are for network access: none.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Neadom TuckerAuthor Commented:
Thanks guys.
0
efrimpolCommented:
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away.

LOL
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.