Allow log on locally in Default Domain Controller Policy.

I was looking over our group policy settings while studying for 70-292 and
noticed that the group Domain Users is included in the Allow log on locally
setting in the Default Domain Controller Policy. Is this ok or dangerous?
Is it necessary? DCs are 2003 standard.

 

That is not a default install. The default install has Account Operators,
Administrators, Backup Operators, Print Operators and Server Operators in
the list to Allow log on locally.
Your config is not recommended and is a security problem. I would change it
if I were you.

Bill Griffith

 

Is your DC also serving double duty as possibly a File or Printer server?

Your System Administrator may have an explanation, if you are not the
sysAdmin...then ask him or her (respectfully, if possible.) if they knew
about it and/or intended to include domain users in the "logon locally"
permission list, and if so...why?

Asked in the right way you may get an explanation that is reasonable, given
the circumstances of your companies environment.

Even the best guidelines have exceptions...that's why the are called
Guideline, instead of rules.

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It has to be this way in the domain policy... the logon locally policy
affects all domain computers. Nobody could log onto any domain computer
if it were denied. However, that's for the domain policy, which
propagates to domain computers... not the server's own policy which does
not propagate. It should probably be removed from the server's
permissions, if it's there.

Rainman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCp6XE9ZOMhmWO5XkRAr/FAJ0Z63mvjdzdUx9RKvhY43kP0XuSHQCdFbb0
wXHneiJZq7VYhItyYtH2kNg=
=ayLn
-----END PGP SIGNATURE-----

 

There is no reason that a normal user needs to logon to a Domain Controller.
Anything he needs should be accessed through an API. Files are access
through shares, printers through spooler, applications through whatever API
that the app provides. Only members of one of the Admin groups, by default,
are allowed Logon rights to a DC. Member servers are an entirely different
issue.

Are we talking about the same thing?

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is one reason why a normal user needs logon locally permissions to
the server: FTP via IIS. If the user needs FTP access to the server, you
HAVE to give him local logon rights, just because that's the way IIS works.

However, it is more likely the answer to this problem lies in my
previous post in this thread...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
MeUR8n07AJTwj/OlFoBrnCY=
=fQ/S
-----END PGP SIGNATURE-----

 

As noted by your explanation. If you are aware that you are circumventing
accepted practices for a DC and are willing to accept the risk..that is your
decision.

My point is still valid, given accepted practice and for security...no user
has a reason for local access to a DC. Even placing an FTP server on a DC,
you can still set up your permission to avoid giving local logon access to
normal users.

If you feel it acceptable risk, It's your system, do as you feel is
reasonable. I still suggest you research a better solution.

 

Maybe you should read the original question more carefully. He said Default
Domain Controllers Policy.

Bill Griffith

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Personally I suggest not using FTP on a DC at all, because IIS, like IE,
is notorious for security holes... not to mention that it just wouldn't
be useful unless you're doubling up server duties for lack of cash...
but unfortunately it is necessary for the feature if somebody does make
that (poor) choice.

Rainman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCqlmv9ZOMhmWO5XkRAj2uAJ9HwgVDvytDad9Kr3mb1+b3zI7EuwCffpxC
ayOuYOk/DP8VgrHn5xj+v0c=
=xon4
-----END PGP SIGNATURE-----

 

rainman touches fat people... film at eleven.

 

rainman touches fat people... film at eleven...

 

rainman is notorious for his security holes...