6

I know by default RDP does not allow any non-admin user to RDP into a machine unless we specify it. But a non-admin user can logon to the machine at the console.

I was looking at the "Allow log on locally" GPO security setting under the User Rights Assignment Security Settings group and it says by default the following can log on locally:

  • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
  • On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.

Isnt it a security risk allowing anyone in the "Users" group which by default "Domain Users" are a member of console access to servers? I was always curious why Microsoft allowed the Users and Guest group access to servers.

I would think removing both Guest and Users from this security policy would be best practice for servers.

cflyer
  • 503
  • 5
  • 8

1 Answers1

5

I believe you've answered your question yourself correctly. Users and Guest accounts should not have the "Allow log on locally" rights on servers, only Administrators (and Backup Operators if necessary).

Here is a MS KBA in which security countermeasures are described:

https://technet.microsoft.com/en-us/library/dn221980.aspx

Quote:

"For domain controllers, assign the Allow log on locally user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group.

Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the Deny log on locally user right."

Stef Heylen
  • 1,726
  • 1
  • 14
  • 16