Solved

Why are users allowed to Logon Locally to  Member Servers by default?

Posted on 2014-11-18
8
184 Views
Last Modified: 2014-11-21
I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
0
Comment
Question by:Neadom Tucker
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40451039
Hi.

If you are not comfortable with it, modify it - nothing to think about. Sure is there no imminent danger as by default, users may not use RDP to logon to server.
0
 
LVL 5

Expert Comment

by:efrimpol
ID: 40451112
In my 18 years of working in IT for various companies, I have never had a user enter the server room and log into a server. Some server rooms were locked 24/7, others were not, but all employee were fully aware that only IT Personnel were allowed to enter.

But please reference the following link

http://technet.microsoft.com/en-us/library/cc957048.aspx

and notice last statement:

"By default, there are no accounts denied the ability to logon locally."

You will have to set a GPO if you wish to change this.
0
 
LVL 5

Expert Comment

by:efrimpol
ID: 40451114
Also, "McKnife" is correct. Unless you configure a user via the Remote Desktop Group for a particular server, no employee should be able to log into a server even via RDP.
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 40451172
Oh I agree!  I am aware of the right assignment.  But no-one has answered my question.  Are you doing this?  Deny Logon Locally for the Users group?  If so,  please provide the details.  Do you do this for all servers or just some servers.  Has this broken anything?

With the implementation of Visualization it is not so much of an issue but still a security hole for Small Businesses with unsecured server closets or servers under a desk.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 250 total points
ID: 40451211
The first and most important aspect of any security policy is the Physical Access.  Take that away and you have done more than 50% of the job.  

IF you allow unsecured, unmonitored access to servers then yes, you need to consider everything that could possibly be done and address it.  Its a simple group policy change and I am sure that in some environments its a done thing and in others its never considered due to physical security.

Why would it NOT be ok to do? If it is just a member server doing, for example file and print or serving web pages, why would LOG ON LOCALLY affect an account that is NOT logging on locally?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40451225
Do you know the logon types network logon vs. local logon? Taking away local logon does not break anything.
No, I don't consider it necessary to do this myself. Since DCs don't allow local logons to users, you should be able to see what the consequences are for network access: none.
0
 
LVL 6

Author Closing Comment

by:Neadom Tucker
ID: 40454724
Thanks guys.
0
 
LVL 5

Expert Comment

by:efrimpol
ID: 40458369
An additional security measure that we implemented are security cameras throughout the building. But it's always the one pointing directly at the computer room door that seems to keep people away.

LOL
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now