WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Local Policies
»
User Rights Assignment
»
User Rights In-Depth
»
Access this computer from the network
Access this computer from the network
Access this computer from the network
AKA: SeNetworkPrivilege, Access this computer from the network
Default assignment on workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
Default assignment on domain controllers: Administrators, Authenticated Users, Everyone This logon right determines whether you can establish a network logon to this computer for accessing a shared resource such as a shared folder, the registry, event log and other resources offered through the Server service.
This logon right does apply to authenticated IIS connections. This logon right does not control Remote Desktop or Terminal Services connections. See logon right
Allow logon through Terminal Services
. This logon right does not control access to other applications and services that accept incoming TCP/IP connections and handle their own security.
This logon right is extremely useful as a first line of control over network access to Windows servers. If a remote user fails the check for Access this computer from the network, he is blocked at the door, regardless of what permissions he may have to any resources on the computer.
By default the special Everyone and/or Authenticated Users principal has “Access this computer from the network” on all versions of Windows which essentially disables this valuable line of defense. Ultimately, the default assignments give every users in the forest and any external, trusted domains this right. On workstations, perhaps you must enable the Server service on workstations to support system management and remote administration. But you can limit this right to appropriate SMS servers and administrators and thus completely block other end-users “at the door” from accessing workstation remotely. On departmental servers, you could use this right to limit network access to Administrators and members of the department.
The
Deny access to this computer from the network
right overrides this right.
Use of this right does not generate a
Privilege Use
event in the Windows security log but network logons do generate event ID
540
/
4624
with logon type 3.
Changes to these logon rights assignments are logged by event IDs
621
/
4717
and
622
/
4718
.
More information at
Logon Rights
.
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Rated 5 stars based on 1 vote.
Article has been viewed 8,325 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
Web Protection: The Missing Link in the Endpoint Security Chain?
File Integrity Monitoring with the Windows Security Log
Anatomy of an Attack: What Happened at RSA and What Can We Learn From It?
Implementing Virtual Security Cameras to Protect Privileged Access and Enforce Accountability
Additional Resources
Security Log Quick Reference Chart
Security Log Resource Kit
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
Home
>
Windows
>
WinSecWiki
User name:
Password:
/
Forgot?
Register
Home