Forum Discussion
Curious_Kevin16
Sep 23, 2024Brass Contributor
Active directory security remediation items - seeking advise
Hi Active Directory Brain Trust,
We're aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !!
- Deny Log On Through Remote Desktop Services
- Deny Log On Locally
- Deny log on as a service
- Deny access to this computer from the network
- kyazaferrIron Contributor
Deny Log On Through Remote Desktop Services (RDS)
- Objective: Prevent certain user groups from logging on to servers or workstations via Remote Desktop Protocol (RDP).
- Implementation:
- Use Group Policy to configure this setting:
- Group Policy Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on through Remote Desktop Services
Deny Log On Locally
- Objective: Prevent users from logging in interactively at the console or directly on the machine.
- Implementation:
- Configure using Group Policy:
- Group Policy Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on locally
- Apply to groups like service accounts, non-privileged users, or domain users where interactive logon is not necessar
Deny Log On as a Service
- Objective: Block users from running or registering services on systems.
- Implementation:
- Group Policy path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on as a service
- Apply to user accounts or groups that should not have the ability to run services, such as standard user accounts.
Deny Access to This Computer from the Network
- Objective: Block specific users or groups from accessing the machine over the network.
- Implementation:
- Group Policy path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny access to this computer from the network
- Configure using Group Policy:
- Use Group Policy to configure this setting: