I know by default RDP does not allow any non-admin user to RDP into a machine unless we specify it. But a non-admin user can logon to the machine at the console.
I was looking at the "Allow log on locally" GPO security setting under the User Rights Assignment Security Settings group and it says by default the following can log on locally:
- On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
- On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.
Isnt it a security risk allowing anyone in the "Users" group which by default "Domain Users" are a member of console access to servers? I was always curious why Microsoft allowed the Users and Guest group access to servers.
I would think removing both Guest and Users from this security policy would be best practice for servers.