Security Watch

Deny Local Logon—Even to Admins

Check abuse of administrative privelages with GPOs.

• By Roberta Bragg
• 11/15/2004

One of my battle cries in the past has been "Don't let administrators read their e-mail." It usually gets everyone's attention and allows me to explain that all administrators should have two accounts—one for administrative duties and one for the more mundane. E-mail is definitely one of the latter, and reading mail while logged on with administrative privileges is asking for trouble.

Sure, some bad things can happen to ordinary users, but many malicious programs introduced via e-mail require administrative privileges to do the really bad stuff. If you've adopted the two-account security policy, you probably enforce the requirement by refusing to e-mail-enable administrator accounts.

So how do you force domain administrators to log on as ordinary users in the domain and still administer the domain? You could be polite and ask them. You can be sure, though, that some administrators will decide it's too much trouble to log on as Joe User at his XP desktop, use the Remote Desktop Connection to enter his admin-level account and password, connect to a domain controller and administer the domain. What then?

Here's a thought: deny domain admins the right to locally log on to their own workstations. First, collect all administrative workstations and place their computer accounts into a unique Organizational Unit (OU), then create a Group Policy Object (GPO) and link it to the OU.

Next, edit the GPO and assign the "Deny Log on Locally" User right in Windows Settings\Security Settings\Local Policies\User Rights to the Domain Admins group. When the policy is refreshed on the workstations and members of the Domain Admins group attempt to log on to their workstations, they'll be denied. They will, however, be able to log on with their ordinary user accounts, as well as use the Remote Desktop Connection through their Domain Admins group member accounts and passwords.

What's the advantage here? When you force administrators to always use an ordinary domain user account on their administrative workstations, you protect the workstation. Ordinary users have less opportunity to accidentally or maliciously compromise or damage their workstation.

You can take this practice one step further for those lazy administrators who might decide to circumvent the policy by using a computer not designated as an administrative workstation. Create and link the GPO at the domain level instead of the OU level. This will prevent your admins from logging on locally to any computer in the domain (except domain controllers; user rights on domain controllers are set in the default Domain Controller Security Policy).

Users with membership in the Domain Admins group have supreme power in the domain. This power can be used for good or evil. I'm sure that you trust (but, hopefully, still audit) your domain administrators, but wouldn't it be nice to also protect the computers they use from accidental abuse of their power?