Deny Local Logon—Even to Admins
Check abuse of administrative privelages with GPOs.
- By Roberta Bragg
I'm always looking for interesting security adaptations: some little trick
that can help force compliance with security policy or make it harder for bad
things to happen to good people and their computers.
One of my battle cries in the past has been "Don't let administrators
read their e-mail." It usually gets everyone's attention and allows me
to explain that all administrators should have two accounts—one for administrative
duties and one for the more mundane. E-mail is definitely one of the latter,
and reading mail while logged on with administrative privileges is asking for
Sure, some bad things can happen to ordinary users, but many malicious programs
introduced via e-mail require administrative privileges to do the really bad
stuff. If you've adopted the two-account security policy, you probably enforce
the requirement by refusing to e-mail-enable administrator accounts.
So how do you force domain administrators to log on as ordinary users in the
domain and still administer the domain? You could be polite and ask them. You
can be sure, though, that some administrators will decide it's too much trouble
to log on as Joe User at his XP desktop, use the Remote Desktop Connection to
enter his admin-level account and password, connect to a domain controller and
administer the domain. What then?
Here's a thought: deny domain admins the right to locally log on to their own
workstations. First, collect all administrative workstations and place their
computer accounts into a unique Organizational Unit (OU), then create a Group
Policy Object (GPO) and link it to the OU.
Next, edit the GPO and assign the "Deny Log on Locally" User right
in Windows Settings\Security Settings\Local Policies\User Rights to the Domain
Admins group. When the policy is refreshed on the workstations and members of
the Domain Admins group attempt to log on to their workstations, they'll be
denied. They will, however, be able to log on with their ordinary user accounts,
as well as use the Remote Desktop Connection through their Domain Admins group
member accounts and passwords.
What's the advantage here? When you force administrators to always use an ordinary
domain user account on their administrative workstations, you protect the workstation.
Ordinary users have less opportunity to accidentally or maliciously compromise
or damage their workstation.
You can take this practice one step further for those lazy administrators who
might decide to circumvent the policy by using a computer not designated as
an administrative workstation. Create and link the GPO at the domain level instead
of the OU level. This will prevent your admins from logging on locally to any
computer in the domain (except domain controllers; user rights on domain controllers
are set in the default Domain Controller Security Policy).
Users with membership in the Domain Admins group have supreme power in the
domain. This power can be used for good or evil. I'm sure that you trust (but,
hopefully, still audit) your domain administrators, but wouldn't it be nice
to also protect the computers they use from accidental abuse of their power?
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.