WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Access from Network

Access this computer from the network

AKA: SeNetworkPrivilege, Access this computer from the network

Default assignment on workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone

Default assignment on domain controllers: Administrators, Authenticated Users, Everyone This logon right determines whether you can establish a network logon to this computer for accessing a shared resource such as a shared folder, the registry, event log and other resources offered through the Server service.

This logon right does apply to authenticated IIS connections. This logon right does not control Remote Desktop or Terminal Services connections. See logon right Allow logon through Terminal Services. This logon right does not control access to other applications and services that accept incoming TCP/IP connections and handle their own security.

This logon right is extremely useful as a first line of control over network access to Windows servers. If a remote user fails the check for Access this computer from the network, he is blocked at the door, regardless of what permissions he may have to any resources on the computer.

By default the special Everyone and/or Authenticated Users principal has “Access this computer from the network” on all versions of Windows which essentially disables this valuable line of defense. Ultimately, the default assignments give every users in the forest and any external, trusted domains this right. On workstations, perhaps you must enable the Server service on workstations to support system management and remote administration. But you can limit this right to appropriate SMS servers and administrators and thus completely block other end-users “at the door” from accessing workstation remotely. On departmental servers, you could use this right to limit network access to Administrators and members of the department.

The Deny access to this computer from the network right overrides this right.

Use of this right does not generate a Privilege Use event in the Windows security log but network logons do generate event ID 540/4624 with logon type 3.

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

More information at Logon Rights.

Back to top


Upcoming Webinars
    Additional Resources