Tip

Active Directory user rights for Windows domain controllers and servers

When you perform a task on a Windows computer, that task is typically controlled by user rights, which are, in turn, controlled by each server individually. Some of the most common user rights that you have become familiar with include local logon, access to backup files and folders and access to the computer over the network.

However, there are some user rights that are more critical than others because they control key aspects of the server, which an attacker could exploit. In this tip, I will point out some of the settings that are different for domain controllers versus member servers.

Domain controller user rights

The user rights for domain controllers and member servers are different because of the default behavior of the domain controller in Active Directory. Domain controllers' default user rights are established by one of the two default Group Policy Objects (GPOs) that are included with every installation of Active Directory. The Default Domain Controllers policy is the GPO responsible for establishing the user rights on a domain controller when it is entered into the domain.

Allow logon locally user right

There are a few user rights that the Default Domain Controllers policy establishes for domain controllers that you might want to consider for your member servers. For domain controllers, only "Administrator" type groups are given the privilege to log on to the console. This helps protect the domain controller from just any user

    Requires Free Membership to View

logging on in this manner. However, since there are no GPOs from Active Directory modifying the default user rights for member servers, any user is allowed to log on locally to a Windows 2000 or Windows Server 2003 member server. This includes your servers containing HR data and financial data.

Allow Logon Through Terminal Services

If you are running a Windows 2000 server configured to allow Terminal Services sessions, you must give those connecting users the "Allow Logon Locally" user right. Of course, this is not a desired configuration, it's a mandatory one to allow these connections. Knowing that this was a security issue, Microsoft added a new user right for Windows XP and Windows Server 2003 computers. The user right is "Allow Logon Through Terminal Services." This new right allows users to connect to a Terminal Services session without having the privilege to logon locally.

Summary

User rights are important to every Windows computer on the network. They provide controls that allow or deny a user from performing tasks on each computer. User rights are in most cases associated with security areas of the computer, including accessing it locally, accessing it over the network and even backing up the files located on the server. Windows domain controllers receive more secure user rights because of the Default Domain Controllers policy. However, member servers are left with the default insecure configuration for many user rights. Knowing that there is a difference can help you protect all computers better. Also knowing that there are new user rights for the newer operating systems provides insight that might encourage you to upgrade to the newest operating system to get better security options.


Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
More information from SearchWinIT.com

This was first published in February 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.