| | | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected]. | | | |
4sysops - The online community for SysAdmins and DevOps
Center for internet security, local policies/user rights assignment.
Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:
As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:
Configuring user rights assignment via Goup Policy
If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.
Security policies do not support generated group names
The following groups are used throughout this article:
The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:
Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.
Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.
CIS Benchmarks example
User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.
For each setting, the following format is used:
Name of the setting: Recommended value, or values
Access Credential Manager as a trusted caller: No one (empty value)
Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.
Access this computer from the network: Administrators, Authenticated Users
Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.
Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.
Allow log on locally: Administrators
The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.
Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users
It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.
Note: On the DC, it is recommended to allow only administrators to connect via RDP.
Back up files and directories: Administrators
This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.
Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests
The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.
Force shutdown from a remote system/Shut down the system: Administrators
Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.
Manage auditing and security log: Administrators
This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.
Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.
Restore files and directories: Administrators
Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.
Take ownership of files or other objects: Administrators
User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.
Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests
To increase security, you should include the Guests group in these three settings.
Debug programs/Profile single process/Profile system performance: Administrators
This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.
Change the system time: Administrators, Local Service
Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.
Create a token object: No one (empty value)
Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.
Impersonate a client after authentication: Administrators, Local Service, Network Service, Service
An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.
Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.
Load and unload device drivers: Administrators
Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.
I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.
Read All IT Administration News
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.
Gave that account local admin access on the broker servers and then was able to get further.
Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.
Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.
I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.
I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.
Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.
Please enclose code in pre tags: <pre></pre>
Your email address will not be published. Required fields are marked *
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Receive new post notifications
Follow 4sysops.
Please ask IT administration questions in the forums . Any other messages are welcome.
or Create an account
Create account.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting.
This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It's possible for a user to establish a Remote Desktop connection to a particular server, but not be able to sign in to the console of that server.
Constant: SeDenyRemoteInteractiveLogonRight
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy | Not defined |
Default Domain Controller Policy | Not defined |
Stand-Alone Server Default Settings | Not defined |
Domain Controller Effective Default Settings | Not defined |
Member Server Effective Default Settings | Not defined |
Client Computer Effective Default Settings | Not defined |
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
The Remote System property controls settings for Remote Desktop Services ( Allow or prevent remote connections to the computer ) and for Remote Assistance ( Allow Remote Assistance connections to this computer ).
This policy setting supersedes the Allow log on through Remote Desktop Services policy setting if a user account is subject to both policies.
Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update.
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Any account with the right to sign in through Remote Desktop Services could be used to sign in to the remote console of the device. If this user right isn't restricted to legitimate users who need to sign in to the console of the computer, malicious users might download and run software that elevates their user rights.
Assign the Deny log on through Remote Desktop Services user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to other accounts that are required by those components.
If you assign the Deny log on through Remote Desktop Services user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right can't connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks aren't negatively affected.
COMMENTS
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ... If you assign the Deny log on locally user right to other accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to ...
Learn how to allow or prevent specific users and groups from signing in locally to a Windows 10 PC using Local Security Policy or Command Prompt. See step-by-step instructions, screenshots, and examples for each option.
Learn how to manage local logon permissions on Windows 10 and Windows Server 2019 using Group Policy Editor. Find out how to add or remove user groups or accounts that are allowed or denied to log on interactively to a computer.
Learn how to manage the Allow log on locally user right that determines which users can start an interactive session on the device. See the default values, best practices, policy management, and security considerations for this setting.
Learn how to use Local Security Policy or Command Prompt to prevent specific users and groups from logging on locally to a Windows 10 PC. Follow the step-by-step instructions and screenshots for each option.
Learn how to configure the Allow log on locally policy setting in the User Rights section of the Policy CSP to limit the users that can log on locally to a Windows device. See the steps, the user experience and the side effects of this configuration.
Learn how to use secpol.msc command to open Local Security Policy and manage user rights and permissions in Windows 10. See step-by-step instructions and screenshots for adding and removing users and groups from user rights policies.
Learn how to use Group Policy to deny or allow users to log on locally to Windows workstations. See the settings, examples, and tips for managing user access to computers in Active Directory environments.
If you edit the Default Policies you remove all of the default permissions. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies. User Rights Assignment. Double Click on Allow Log On Locally and add your users. Share.
Learn how to configure user rights for logging on and accessing computer and domain resources in Windows 10 and 11. User rights include logon rights, permissions, and privileges that can be managed in Group Policy or Local Group Policy Editor.
Learn how to configure Allow Log on Locally user rights/permission/privilege using Local Security Policy, Powershell, C# and Command Line tool. See the steps, scripts, commands and code examples for each method.
Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment. Step 3. Edit the Allow log on locally policy. You can add users or groups to the policy. Warning: You will want to add your administrator accounts to this policy or they will be denied logon. To be clear the only accounts that will ...
Learn how to use Powershell scripts to add, remove, and check user rights assignment for local or remote computers. See examples of how to grant Logon as a Service Right for a user with the script Set-UserRights.ps1.
Learn how to prevent users from logging on interactively to a specific group or computer using Group Policy. See the steps, options and limitations of this method and the alternatives.
Learn how to use new Windows features to block remote logons by local accounts and prevent "pass the hash" attacks. See the policy change for Windows Server 2012 R2 Member Server baseline and the exceptions for failover cluster scenarios.
I don't think this is possible. You'd have to set this through Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. You can set registry-based GPO settings using the PowerShell cmdlet Set-GPPrefRegistryValue but the "Deny Log On Locally" GPO option doesn't appear to have a corresponding registry value to set.
Start by: 1-putting all the users you need to restrict access from in a group. 2-putting all the users you need to allow access to in a group. In AD Users & Computers, goto the Computers container, right-click the Computer you need to restrict access to > Properties, Security tab, Advanced. Add the group you want to allow access, and set ...
Learn what deny logon locally means and how it differs from allow logon locally. Find out how to assign and revoke this right and what are the consequences of assigning it to Everyone.
Learn how to configure security policy settings, especially user rights assignment, in Windows Server 2016. Find out which group is assigned to the allow log on locally right by default for workstations and member servers.
Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. ... Windows Settings > Security Settings > Local Policies > User Rights Assignment ...
Learn how to configure user rights settings in Group Policy for Windows operating systems. User rights control logon methods, access to resources, and permissions for users and processes.
Microsoft Intune Configuration. A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities. The process of arranging or setting up computer systems, hardware, or software. Accepted answer. Nick Hogarth 3,436.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. ... malicious users might download and run software that elevates their user rights. Countermeasure. Assign the Deny log on through Remote Desktop Services user right to the built-in local guest account and all service accounts. If you have ...