| Author | Messages | |
hboogz
Posts:21
 | | 02/14/2012 9:06 PM |
| All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008
and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain
level that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best
practice, but want to run it by the group to help me understand what are
the implications should i change the setting? And if i do change it, which
are recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy,
however, security best practices are keen and well regarded.
| | | |
| dmarelia
Posts:442
| | 02/14/2012 9:49 PM |
| Harry-
This user right essentially controls who can logon over the network (as opposed to the console) to a given Windows device. Given that this need is pretty ubiquitous for a lot of use cases, I would be careful about changing it at the domain level. One approach you might consider is that if you really do need to exclude this right for a subset of computers ,that you use the “Deny Access this Computer from the Network” right to explicitly deny particular groups of users to particular groups of computers (scoped more narrowly of course). I think that is the safest bet here.
Darren
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Harry Singh
Sent: Tuesday, February 14, 2012 11:16 AM
To: gptalk
Subject: [gptalk] Access This Computer from the Network Setting Help
All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008 and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain level that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best practice, but want to run it by the group to help me understand what are the implications should i change the setting? And if i do change it, which are recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy, however, security best practices are keen and well regarded.
| | | |
| omar
Posts:98
| | 02/14/2012 10:04 PM |
| I would add one more thing or two.
First- I agree with Darren-don’t mess with this setting- big problems can and will occur.
Now- If you want to restrict a user to a certain set of computers- you can use the accounts tab and the “log on to” button in Active Directory to select which computer that user can logon to but- since gpo processing must occur- you may be required to add the domain controller as well.
But with the setting you cited in your message and the setting in the user account-that still does not grant a user the right to logon locally or remotely using remote desktop.
You may want to be testing with the setting that is named something like “Allow logon locally”- otherwise state your objective and help will be gladly given.
Thanks,
Omar
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 14, 2012 11:53 AM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Harry-
This user right essentially controls who can logon over the network (as opposed to the console) to a given Windows device. Given that this need is pretty ubiquitous for a lot of use cases, I would be careful about changing it at the domain level. One approach you might consider is that if you really do need to exclude this right for a subset of computers ,that you use the “Deny Access this Computer from the Network” right to explicitly deny particular groups of users to particular groups of computers (scoped more narrowly of course). I think that is the safest bet here.
Darren
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Harry Singh
Sent: Tuesday, February 14, 2012 11:16 AM
To: gptalk
Subject: [gptalk] Access This Computer from the Network Setting Help
All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008 and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain level that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best practice, but want to run it by the group to help me understand what are the implications should i change the setting? And if i do change it, which are recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy, however, security best practices are keen and well regarded.
| | | |
| john.vanmeter
Posts:44
| | 02/14/2012 10:06 PM |
| Sorry that doesn't meet best practice and should fail a security assessment.
Just my shiny penny John
On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com> wrote:
> I would add one more thing or two.****
>
> ** **
>
> First- I agree with Darren-don’t mess with this setting- big problems can
> and will occur.****
>
> ** **
>
> Now- If you want to restrict a user to a certain set of computers- you can
> use the accounts tab and the “log on to” button in Active Directory to
> select which computer that user can logon to but- since gpo processing must
> occur- you may be required to add the domain controller as well.****
>
> ** **
>
> But with the setting you cited in your message and the setting in the user
> account-that still does not grant a user the right to logon locally or
> remotely using remote desktop.****
>
> ** **
>
> You may want to be testing with the setting that is named something like
> “Allow logon locally”- otherwise state your objective and help will be
> gladly given.****
>
> ** **
>
> Thanks,****
>
> Omar****
>
> ** **
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Darren Mar-Elia
> *Sent:* Tuesday, February 14, 2012 11:53 AM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* RE: [gptalk] Access This Computer from the Network Setting Help
> ****
>
> ** **
>
> Harry-****
>
> This user right essentially controls who can logon over the network (as
> opposed to the console) to a given Windows device. Given that this need is
> pretty ubiquitous for a lot of use cases, I would be careful about changing
> it at the domain level. One approach you might consider is that if you
> really do need to exclude this right for a subset of computers ,that you
> use the “Deny Access this Computer from the Network” right to explicitly
> deny particular groups of users to particular groups of computers (scoped
> more narrowly of course). I think that is the safest bet here.****
>
> ** **
>
> Darren****
>
> ** **
>
> *From:* gptalk-owner@lists.gpoguy.com
> [mailto:gptalk-owner@lists.gpoguy.com] *On Behalf Of *Harry Singh
> *Sent:* Tuesday, February 14, 2012 11:16 AM
> *To:* gptalk
> *Subject:* [gptalk] Access This Computer from the Network Setting Help****
>
> ** **
>
> All -****
>
> I've looked at the following articles****
>
> ****
>
> http://msdn.microsoft.com/en-us/library/ms813612.aspx****
>
> http://support.microsoft.com/kb/980360****
>
> ****
>
> But have a quick question. I'm at a location where they have mixed 2008
> and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain
> level that has the following User Right Assignment setting as follows:****
>
> ****
>
> Access this computer from the network: Everyone****
>
> ****
>
> Since this is at the domain level, my gut tells me this isn't best
> practice, but want to run it by the group to help me understand what are
> the implications should i change the setting? And if i do change it, which
> are recommended default groups? Or is it just fine? ****
>
> ****
>
> This isn't a shop that needs to conform to any particular security policy,
> however, security best practices are keen and well regarded.****
>
> ****
>
> ****
>
> ** **
>
| | | |
| dmarelia
Posts:442
| | 02/14/2012 10:22 PM |
| John-
Are you saying that granting "Access this Computer from the Network" to Everyone would fail a security assessment? I have yet to see that be the case. Remember that Everyone, at least after 2003,SP1 is the same as Authenticated Users. That means that setting this at the domain level means only users in the domain can access systems in the domain. However, keep in mind that having this user right does not necessarily authorize a user to access resources on those systems. It only allows them to authenticate to the system over the network (not logon locally, as Omar mentions). On the other hand , removing this right across the board will likely break a lot of stuff. I prefer to authorize "higher up the stack" so I generally don't touch this except on an exception basis.
Darren
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of John van Meter
Sent: Tuesday, February 14, 2012 12:07 PM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Sorry that doesn't meet best practice and should fail a security assessment.
Just my shiny penny John
On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com<mailto:omar@marathonsolutions.com>> wrote:
I would add one more thing or two.
First- I agree with Darren-don't mess with this setting- big problems can and will occur.
Now- If you want to restrict a user to a certain set of computers- you can use the accounts tab and the "log on to" button in Active Directory to select which computer that user can logon to but- since gpo processing must occur- you may be required to add the domain controller as well.
But with the setting you cited in your message and the setting in the user account-that still does not grant a user the right to logon locally or remotely using remote desktop.
You may want to be testing with the setting that is named something like "Allow logon locally"- otherwise state your objective and help will be gladly given.
Thanks,
Omar
From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 14, 2012 11:53 AM
To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Harry-
This user right essentially controls who can logon over the network (as opposed to the console) to a given Windows device. Given that this need is pretty ubiquitous for a lot of use cases, I would be careful about changing it at the domain level. One approach you might consider is that if you really do need to exclude this right for a subset of computers ,that you use the "Deny Access this Computer from the Network" right to explicitly deny particular groups of users to particular groups of computers (scoped more narrowly of course). I think that is the safest bet here.
Darren
From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com]<mailto:[mailto:gptalk-owner@lists.gpoguy.com]> On Behalf Of Harry Singh
Sent: Tuesday, February 14, 2012 11:16 AM
To: gptalk
Subject: [gptalk] Access This Computer from the Network Setting Help
All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008 and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain level that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best practice, but want to run it by the group to help me understand what are the implications should i change the setting? And if i do change it, which are recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy, however, security best practices are keen and well regarded.
| | | |
| hboogz
Posts:21
| | 02/14/2012 10:24 PM |
| Darren and Omar -
Thanks for the points of clarity. Very much appreciated.
My objective really is trying to confirm whether the Everyone group _*should_
*remain in that user right assignment or should be set to not defined.
Based on the links i provided, my assumption is if I remove the Everyone
group and set the policy to Not Defined, the default groups mentioned,
which includes Everyone, should still have access.
I agree that narrowly scoping a subset of computers i want to enforce a
Deny policy on would be the way to go. Thanks.
Controlling RDP is a concern and I belive that I can manage access using a
seperate GPO with both the Allow logon locally and the addition of the
respective groups to the Remote Desktop Users and then scope it to the
respective OU's.
Defintely welcome to suggestions and what the group has done to control
this particular user right assignment and RDP access.
Thanks,
Harry.
On Tue, Feb 14, 2012 at 3:07 PM, John van Meter
<john.f.vanmeter@gmail.com>wrote:
> Sorry that doesn't meet best practice and should fail a security
> assessment.
>
> Just my shiny penny John
> On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com>
> wrote:
>
>> I would add one more thing or two.****
>>
>> ** **
>>
>> First- I agree with Darren-don’t mess with this setting- big problems can
>> and will occur.****
>>
>> ** **
>>
>> Now- If you want to restrict a user to a certain set of computers- you
>> can use the accounts tab and the “log on to” button in Active Directory to
>> select which computer that user can logon to but- since gpo processing must
>> occur- you may be required to add the domain controller as well.****
>>
>> ** **
>>
>> But with the setting you cited in your message and the setting in the
>> user account-that still does not grant a user the right to logon locally or
>> remotely using remote desktop.****
>>
>> ** **
>>
>> You may want to be testing with the setting that is named something like
>> “Allow logon locally”- otherwise state your objective and help will be
>> gladly given.****
>>
>> ** **
>>
>> Thanks,****
>>
>> Omar****
>>
>> ** **
>>
>> *From:* gptalk-owner@lists.gpoguy.com [mailto:
>> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Darren Mar-Elia
>> *Sent:* Tuesday, February 14, 2012 11:53 AM
>> *To:* gptalk@lists.gpoguy.com
>> *Subject:* RE: [gptalk] Access This Computer from the Network Setting
>> Help****
>>
>> ** **
>>
>> Harry-****
>>
>> This user right essentially controls who can logon over the network (as
>> opposed to the console) to a given Windows device. Given that this need is
>> pretty ubiquitous for a lot of use cases, I would be careful about changing
>> it at the domain level. One approach you might consider is that if you
>> really do need to exclude this right for a subset of computers ,that you
>> use the “Deny Access this Computer from the Network” right to explicitly
>> deny particular groups of users to particular groups of computers (scoped
>> more narrowly of course). I think that is the safest bet here.****
>>
>> ** **
>>
>> Darren****
>>
>> ** **
>>
>> *From:* gptalk-owner@lists.gpoguy.com
>> [mailto:gptalk-owner@lists.gpoguy.com] *On Behalf Of *Harry Singh
>> *Sent:* Tuesday, February 14, 2012 11:16 AM
>> *To:* gptalk
>> *Subject:* [gptalk] Access This Computer from the Network Setting Help***
>> *
>>
>> ** **
>>
>> All -****
>>
>> I've looked at the following articles****
>>
>> ****
>>
>> http://msdn.microsoft.com/en-us/library/ms813612.aspx****
>>
>> http://support.microsoft.com/kb/980360****
>>
>> ****
>>
>> But have a quick question. I'm at a location where they have mixed 2008
>> and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain
>> level that has the following User Right Assignment setting as follows:***
>> *
>>
>> ****
>>
>> Access this computer from the network: Everyone****
>>
>> ****
>>
>> Since this is at the domain level, my gut tells me this isn't best
>> practice, but want to run it by the group to help me understand what are
>> the implications should i change the setting? And if i do change it, which
>> are recommended default groups? Or is it just fine? ****
>>
>> ****
>>
>> This isn't a shop that needs to conform to any particular security
>> policy, however, security best practices are keen and well regarded.****
>>
>> ****
>>
>> ****
>>
>> ** **
>>
>
| | | |
| john.vanmeter
Posts:44
| | 02/14/2012 10:29 PM |
| Doesn't "everyone" include both auth and non auth users?
John
On Feb 14, 2012 3:21 PM, "Darren Mar-Elia" <darren@sdmsoftware.com> wrote:
> John-****
>
> Are you saying that granting “Access this Computer from the Network” to
> Everyone would fail a security assessment? I have yet to see that be the
> case. Remember that Everyone, at least after 2003,SP1 is the same as
> Authenticated Users. That means that setting this at the domain level means
> only users in the domain can access systems in the domain. However, keep in
> mind that having this user right does not necessarily authorize a user to
> access resources on those systems. It only allows them to authenticate to
> the system over the network (not logon locally, as Omar mentions). On the
> other hand , removing this right across the board will likely break a lot
> of stuff. I prefer to authorize “higher up the stack” so I generally don’t
> touch this except on an exception basis.****
>
> ** **
>
> Darren****
>
> ** **
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *John van Meter
> *Sent:* Tuesday, February 14, 2012 12:07 PM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* RE: [gptalk] Access This Computer from the Network Setting Help
> ****
>
> ** **
>
> Sorry that doesn't meet best practice and should fail a security
> assessment.****
>
> Just my shiny penny John****
>
> On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com> wrote:
> ****
>
> I would add one more thing or two.****
>
> ****
>
> First- I agree with Darren-don’t mess with this setting- big problems can
> and will occur.****
>
> ****
>
> Now- If you want to restrict a user to a certain set of computers- you can
> use the accounts tab and the “log on to” button in Active Directory to
> select which computer that user can logon to but- since gpo processing must
> occur- you may be required to add the domain controller as well.****
>
> ****
>
> But with the setting you cited in your message and the setting in the user
> account-that still does not grant a user the right to logon locally or
> remotely using remote desktop.****
>
> ****
>
> You may want to be testing with the setting that is named something like
> “Allow logon locally”- otherwise state your objective and help will be
> gladly given.****
>
> ****
>
> Thanks,****
>
> Omar****
>
> ****
>
> *From:* gptalk-owner@lists.gpoguy.com [mailto:
> gptalk-owner@lists.gpoguy.com] *On Behalf Of *Darren Mar-Elia
> *Sent:* Tuesday, February 14, 2012 11:53 AM
> *To:* gptalk@lists.gpoguy.com
> *Subject:* RE: [gptalk] Access This Computer from the Network Setting Help
> ****
>
> ****
>
> Harry-****
>
> This user right essentially controls who can logon over the network (as
> opposed to the console) to a given Windows device. Given that this need is
> pretty ubiquitous for a lot of use cases, I would be careful about changing
> it at the domain level. One approach you might consider is that if you
> really do need to exclude this right for a subset of computers ,that you
> use the “Deny Access this Computer from the Network” right to explicitly
> deny particular groups of users to particular groups of computers (scoped
> more narrowly of course). I think that is the safest bet here.****
>
> ****
>
> Darren****
>
> ****
>
> *From:* gptalk-owner@lists.gpoguy.com
> [mailto:gptalk-owner@lists.gpoguy.com] *On Behalf Of *Harry Singh
> *Sent:* Tuesday, February 14, 2012 11:16 AM
> *To:* gptalk
> *Subject:* [gptalk] Access This Computer from the Network Setting Help****
>
> ****
>
> All -****
>
> I've looked at the following articles****
>
> ****
>
> http://msdn.microsoft.com/en-us/library/ms813612.aspx****
>
> http://support.microsoft.com/kb/980360****
>
> ****
>
> But have a quick question. I'm at a location where they have mixed 2008
> and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain
> level that has the following User Right Assignment setting as follows:****
>
> ****
>
> Access this computer from the network: Everyone****
>
> ****
>
> Since this is at the domain level, my gut tells me this isn't best
> practice, but want to run it by the group to help me understand what are
> the implications should i change the setting? And if i do change it, which
> are recommended default groups? Or is it just fine? ****
>
> ****
>
> This isn't a shop that needs to conform to any particular security policy,
> however, security best practices are keen and well regarded.****
>
> ****
>
> ****
>
> ****
>
| | | |
| omar
Posts:98
| | 02/14/2012 11:04 PM |
| That's a really good question and the short answer is no/yes/maybe- J
Actually there is a better answer and to understand this we need to consider
the anonymous user- or in your term- Non-Authenticated Users.
I have had situations where organizations wanted windows print servers to
allow anyone to access the shared printer- even non-authenticated users. And
to make that work- we needed everyone in the ACL and we needed a few
registry keys to enable that.
So with that said- in a domain environment running with Windows 2003 sp1 or
greater- Everyone is the same as authenticated users in general unless steps
are taken to allow anonymous access.
Now to go further as many security docs say to remove Everyone and add
authenticated users or domain users- I would test network services like DHCP
and DNS before I make that change- but I would think they would be
unaffected. What would be affected- who knows and testing is the key to
understanding this.
Now we are getting more security that GPO but clearly related- here is some
info I dug up:
Who is in Everyone group:
http://support.microsoft.com/kb/278259
NSA recommendations for Windows 2000 GPO for this particular setting: (You
can find this on the NSA website)
LOCAL WORKSTATIONS:
Administrators
Users
SERVERS:
Administrators
Authenticated Users (DCs only)
ENTERPRISE DOMAIN
CONTROLLERS (DCs only)
Users (Member Servers only)
>From Microsoft:
Excerpt below is from the link: http://support.microsoft.com/kb/257346
Also, users cannot log on to the domain if Everyone is missing the "Access
this computer through the network" right. If you want to remove the Everyone
group, you should replace it with Authenticated Users, Enterprise Domain
Controllers, System, and Administrators.
I find it interesting that Microsoft, recommends adding system in, where
the NSA didn't-but best of luck.
Thanks,
Omar
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com]
On Behalf Of John van Meter
Sent: Tuesday, February 14, 2012 12:28 PM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Doesn't "everyone" include both auth and non auth users?
John
On Feb 14, 2012 3:21 PM, "Darren Mar-Elia" <darren@sdmsoftware.com> wrote:
John-
Are you saying that granting "Access this Computer from the Network" to
Everyone would fail a security assessment? I have yet to see that be the
case. Remember that Everyone, at least after 2003,SP1 is the same as
Authenticated Users. That means that setting this at the domain level means
only users in the domain can access systems in the domain. However, keep in
mind that having this user right does not necessarily authorize a user to
access resources on those systems. It only allows them to authenticate to
the system over the network (not logon locally, as Omar mentions). On the
other hand , removing this right across the board will likely break a lot of
stuff. I prefer to authorize "higher up the stack" so I generally don't
touch this except on an exception basis.
Darren
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com]
On Behalf Of John van Meter
Sent: Tuesday, February 14, 2012 12:07 PM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Sorry that doesn't meet best practice and should fail a security assessment.
Just my shiny penny John
On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com> wrote:
I would add one more thing or two.
First- I agree with Darren-don't mess with this setting- big problems can
and will occur.
Now- If you want to restrict a user to a certain set of computers- you can
use the accounts tab and the "log on to" button in Active Directory to
select which computer that user can logon to but- since gpo processing must
occur- you may be required to add the domain controller as well.
But with the setting you cited in your message and the setting in the user
account-that still does not grant a user the right to logon locally or
remotely using remote desktop.
You may want to be testing with the setting that is named something like
"Allow logon locally"- otherwise state your objective and help will be
gladly given.
Thanks,
Omar
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 14, 2012 11:53 AM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Harry-
This user right essentially controls who can logon over the network (as
opposed to the console) to a given Windows device. Given that this need is
pretty ubiquitous for a lot of use cases, I would be careful about changing
it at the domain level. One approach you might consider is that if you
really do need to exclude this right for a subset of computers ,that you use
the "Deny Access this Computer from the Network" right to explicitly deny
particular groups of users to particular groups of computers (scoped more
narrowly of course). I think that is the safest bet here.
Darren
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com]
On Behalf Of Harry Singh
Sent: Tuesday, February 14, 2012 11:16 AM
To: gptalk
Subject: [gptalk] Access This Computer from the Network Setting Help
All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008 and
2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain level
that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best practice,
but want to run it by the group to help me understand what are the
implications should i change the setting? And if i do change it, which are
recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy,
however, security best practices are keen and well regarded.
| | | |
| dmarelia
Posts:442
| | 02/14/2012 11:04 PM |
| No, not since 2003-SP1.
From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of John van Meter
Sent: Tuesday, February 14, 2012 12:28 PM
To: gptalk@lists.gpoguy.com
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Doesn't "everyone" include both auth and non auth users?
John
On Feb 14, 2012 3:21 PM, "Darren Mar-Elia" <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>> wrote:
John-
Are you saying that granting "Access this Computer from the Network" to Everyone would fail a security assessment? I have yet to see that be the case. Remember that Everyone, at least after 2003,SP1 is the same as Authenticated Users. That means that setting this at the domain level means only users in the domain can access systems in the domain. However, keep in mind that having this user right does not necessarily authorize a user to access resources on those systems. It only allows them to authenticate to the system over the network (not logon locally, as Omar mentions). On the other hand , removing this right across the board will likely break a lot of stuff. I prefer to authorize "higher up the stack" so I generally don't touch this except on an exception basis.
Darren
From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of John van Meter
Sent: Tuesday, February 14, 2012 12:07 PM
To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Sorry that doesn't meet best practice and should fail a security assessment.
Just my shiny penny John
On Feb 14, 2012 3:03 PM, "Omar Droubi" <omar@marathonsolutions.com<mailto:omar@marathonsolutions.com>> wrote:
I would add one more thing or two.
First- I agree with Darren-don't mess with this setting- big problems can and will occur.
Now- If you want to restrict a user to a certain set of computers- you can use the accounts tab and the "log on to" button in Active Directory to select which computer that user can logon to but- since gpo processing must occur- you may be required to add the domain controller as well.
But with the setting you cited in your message and the setting in the user account-that still does not grant a user the right to logon locally or remotely using remote desktop.
You may want to be testing with the setting that is named something like "Allow logon locally"- otherwise state your objective and help will be gladly given.
Thanks,
Omar
From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com>] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 14, 2012 11:53 AM
To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com>
Subject: RE: [gptalk] Access This Computer from the Network Setting Help
Harry-
This user right essentially controls who can logon over the network (as opposed to the console) to a given Windows device. Given that this need is pretty ubiquitous for a lot of use cases, I would be careful about changing it at the domain level. One approach you might consider is that if you really do need to exclude this right for a subset of computers ,that you use the "Deny Access this Computer from the Network" right to explicitly deny particular groups of users to particular groups of computers (scoped more narrowly of course). I think that is the safest bet here.
Darren
From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com]<mailto:[mailto:gptalk-owner@lists.gpoguy.com]> On Behalf Of Harry Singh
Sent: Tuesday, February 14, 2012 11:16 AM
To: gptalk
Subject: [gptalk] Access This Computer from the Network Setting Help
All -
I've looked at the following articles
http://msdn.microsoft.com/en-us/library/ms813612.aspx
http://support.microsoft.com/kb/980360
But have a quick question. I'm at a location where they have mixed 2008 and 2003 R2 DC's (32 and 64 bit) There is a policy linked at the domain level that has the following User Right Assignment setting as follows:
Access this computer from the network: Everyone
Since this is at the domain level, my gut tells me this isn't best practice, but want to run it by the group to help me understand what are the implications should i change the setting? And if i do change it, which are recommended default groups? Or is it just fine?
This isn't a shop that needs to conform to any particular security policy, however, security best practices are keen and well regarded.
| | | |
|
|