Local Policies – User Rights Assignments
The first thing that you notice is just how many User Rights that Windows Server 2003 provides. Consequently, there is something for every aspect of security in this folder.
A classic ‘vanilla’ installation of Active Directory will function adequately without you having to change any of these settings. The reason why you may never have to configure this section, is because many of these user rights are bestowed on people through membership of the appropriate group. For instance, place people who need to backup files in the backup operator’s group. One company foolishly created a TechAdmin group and spent ages adding important rights, not realizing that there was already a built-in Administrators group which did the same job!
Group Policy Topics
User Rights Assignments
What then is the benefit of these settings? I would divide User Rights into three categories:
1) Rights for special accounts, example, the SQL Agent needs to Log on as a service.
2) Prevention of users getting into mischief, for example, ‘Deny shutdown system’ for a Terminal Server.
3) Specialist rights for one off situations, example allow roll-out team Add Workstations to domain. (But not make them full administrators)
* Guy’s Top Three User Rights Policies
- Disable Shut Down System – Terminal Server
- Disable Restore Files and Folders – Stop Backup operators sneakily restoring
- Logon Locally – Testing accounts on a Domain Controller
When you create service accounts you may wish to fine tune their capabilities. Such accounts are used by SQL and older versions of Exchange. The danger is that because service accounts are not allowed to change their password, they are a magnet for hackers to attack. More often than not, these service accounts have traditional names like SQLAdmin, so hackers guess their names, crack their password and breach the system. Your last line of defence is to give these accounts only specific rights, not full administrative control.
Rights that fall into this special category are: Logon as a batch job, Logon as a service, Enable Computer Accounts to be trusted, Increase Scheduling Priority and possibly, Lock pages in memory.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
- Deny logon through terminal services.
- Disable, Shut Down System, so that ordinary users cannot power off the very Terminal Server that provides desktops for them and their colleagues.
- Disable Restore Files and Folders, so backup operators cannot sneakily restore the HR database. My point is that if you had to restore files, most likely you would call upon a top administrator, not a humble backup operator.
- Add Workstations to the Domain. Better to give the roll-out engineers limited rights rather than making them full administrators. By default users have the right to add 10 workstations to the domain without any extra rights.
- Allow right to logon locally. When you only have a DC available to try out newly created user, you need to give those accounts this rights. However you could make the test accounts backup operators who do have the right to logon locally.
- Modify firmware. Possible scenario, you have an outsource team who need to upgrade the hardware.
See more security Group Policies
If you like this page then please share it with your friends