General discussion

  • Creator
    Topic
  • #2287280

    Everyone can logon locally to servers

    Locked

    by nics ·

    I have just discovered that all users can logon locally to our Windows 2000 Servers. Obviously I want to change this immediately. What is the best practice for changing this to local Admins and Domain Admins only. Some of the servers are domain controllers, and some are not. Do I use local security policy for non-DCs and Domain Controller security policy for DCs?

    Thanks

All Comments

  • Author
    Replies
    • #3381594

      Reply To: Everyone can logon locally to servers

      by cg it ·

      In reply to Everyone can logon locally to servers

      log on locally meaning ??? there are 2 types of local access. local to the specific computer and local domain.

      • #3381477

        Reply To: Everyone can logon locally to servers

        by cg it ·

        In reply to Reply To: Everyone can logon locally to servers

        yep answer # 2 has it. just change the local computer security policy on the server to deny logon to everyone BUT admins.

    • #3381589

      Reply To: Everyone can logon locally to servers

      by nics ·

      In reply to Everyone can logon locally to servers

      I mean log onto the domain form the server itself. The real problem is that many of the drives have top level security permissions of Everyone FC – and this leaves a lot open. If only admins could access the server it would help minimise the risk until I test & change all permissions. All servers are in cold rooms, but I need to address some particular security risks.

      Hope this clears things up.

      Thanks

    • #3381564

      Reply To: Everyone can logon locally to servers

      by briantruitt ·

      In reply to Everyone can logon locally to servers

      You should be able to specify which users or groups can logon locally. Go to your Domain Security Policy, Local Policies, and click on User Rights Assignment. Over in the Display Pane should be a policy for Deny Logon Locally. It’s not defined by default. Go ahead and define that sucker and you’re back in business cowboy.

    • #2681124

      Reply To: Everyone can logon locally to servers

      by omie ·

      In reply to Everyone can logon locally to servers

      So that nobody could log on … instead of logging off .. amke a practice to lock the server. Nobody could log you off except network administrator or unless they will re-start the server.

      Hope this helps..

    • #2728902

      Reply To: Everyone can logon locally to servers

      by martin ·

      In reply to Everyone can logon locally to servers

      Hi, I assume that your users need administrator rights on the workstations so you have added them to the domain admins group on your server?

      If this is the case, why not create a group say desktopadmin and add your users into this group then on your workstations you add the domain\desktopadmin to the local administrators group.

      This way the users have full control of the workstation but not the servers.

    • #2728888

      Reply To: Everyone can logon locally to servers

      by nics ·

      In reply to Everyone can logon locally to servers

      Users do not need Admin access to workstations either. First off – I will change the local security policy to deny access to all other accounts (except admin) as suggested by Brian. We usually lock servers, but I just want to make sure that we have “best practice” in place.

      Thanks for the advice – this should sort it out.

    • #2693214

      Reply To: Everyone can logon locally to servers

      by nics ·

      In reply to Everyone can logon locally to servers

      This question was closed by the author

Viewing 6 reply threads