Forum Discussion

Curious_Kevin16's avatar
Curious_Kevin16
Brass Contributor
Sep 23, 2024

Active directory security remediation items - seeking advise

Hi Active Directory Brain Trust, 

 

We're aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !!

 

  • Deny Log On Through Remote Desktop Services
  • Deny Log On Locally
  • Deny log on as a service
  • Deny access to this computer from the network
  • kyazaferr's avatar
    kyazaferr
    Iron Contributor

    Deny Log On Through Remote Desktop Services (RDS)

    • Objective: Prevent certain user groups from logging on to servers or workstations via Remote Desktop Protocol (RDP).
    • Implementation:
      • Use Group Policy to configure this setting:
        • Group Policy Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on through Remote Desktop Services 
        • Deny Log On Locally

          • Objective: Prevent users from logging in interactively at the console or directly on the machine.
          • Implementation:
            • Configure using Group Policy:
              • Group Policy Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on locally
              • Apply to groups like service accounts, non-privileged users, or domain users where interactive logon is not necessar

                Deny Log On as a Service

                • Objective: Block users from running or registering services on systems.
                • Implementation:
                  • Group Policy path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on as a service
                  • Apply to user accounts or groups that should not have the ability to run services, such as standard user accounts.
                  • Deny Access to This Computer from the Network

                    • Objective: Block specific users or groups from accessing the machine over the network.
                    • Implementation:
                      • Group Policy path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny access to this computer from the network
                      • Curious_Kevin16

Resources