Solved

Why are users allowed to Logon Locally to  Member Servers by default?

Posted on 2014-11-18
8
187 Views
Last Modified: 2014-11-21
I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
0
Comment
Question by:Neadom Tucker
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40451039
Hi.

If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40451112
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.

But please reference the following link

http://technet.microsoft.com/en-us/library/cc957048.aspx

and notice last statement:

"By default, there are no accounts denied the ability to logon locally."

You will have to set a GPO if you wish to change this.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40451114
Also, "McKnife" is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 6

Author Comment

by:Neadom Tucker
ID: 40451172
Oh I agree!  I am aware of the right assignment.  But no-one has answered my question.  Are you doing this?  Deny Logon Locally for the Users group?  If so,  please provide the details.  Do you do this for all servers or just some servers.  Has this broken anything?

With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 250 total points
ID: 40451211
The first and most important aspect of any security policy is the Physical Access.  Take that away and you have done more than 50% of the job.  

IF you allow unsecured, unmonitored access to servers then yes, you need to consider everything that could possibly be done and address it.  Its a simple group policy change and I am sure that in some environments its a done thing and in others its never considered due to physical security.

Why would it NOT be ok to do? If it is just a member server doing, for example file and print or serving web pages, why would LOG ON LOCALLY affect an account that is NOT logging on locally?
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 40451225
Do you know the logon types network logon vs. local logon? Taking away local logon does not break anything.
No, I don't consider it necessary to do this myself. Since DCs don't allow local logons to users, you should be able to see what the consequences are for network access: none.
0
 
LVL 6

Author Closing Comment

by:Neadom Tucker
ID: 40454724
Thanks guys.
0
 
LVL 6

Expert Comment

by:efrimpol
ID: 40458369
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away.

LOL
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question