For other server roles and devices, add the Remote Desktop Users group. Countermeasureįor domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. If you don't restrict this user right to legitimate users who must sign in to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. VulnerabilityĪny account with the Allow log on through Remote Desktop Services user right can sign in to the remote console of the device. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update: However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the Allow log on through Remote Desktop Services user right.įor more information, see Deny log on through Remote Desktop Services.Ī restart of the device isn't required for this policy setting to be effective.Īny change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. To exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to those users or groups. It's possible for a user to establish a Remote Desktop Services session to a particular server, but not be able to sign in to the console of that same server. To use Remote Desktop Services to successfully sign in to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right. This section describes different features and tools available to help you manage this policy. Server type or GPOĭomain Controller Effective Default SettingsĬlient Computer Effective Default Settings Default values are also listed on the policy’s property page. The following table lists the actual and effective default policy values. The Remote Desktops Users group also has this right on workstations and servers. To control who can open a Remote Desktop Services connection and sign in to the device, add users to or remove users from the Remote Desktop Users group.Ĭomputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Default valuesīy default, members of the Administrators group have this right on domain controllers, workstations, and servers.It's possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to sign in to the console of that same server.Ĭonstant: SeRemoteInteractiveLogonRight Possible values This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection. Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
0 Comments
Leave a Reply. |