WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Access from Network

Access this computer from the network

AKA: SeNetworkPrivilege, Access this computer from the network

Default assignment on workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone

Default assignment on domain controllers: Administrators, Authenticated Users, Everyone This logon right determines whether you can establish a network logon to this computer for accessing a shared resource such as a shared folder, the registry, event log and other resources offered through the Server service.

This logon right does apply to authenticated IIS connections. This logon right does not control Remote Desktop or Terminal Services connections. See logon right Allow logon through Terminal Services. This logon right does not control access to other applications and services that accept incoming TCP/IP connections and handle their own security.

This logon right is extremely useful as a first line of control over network access to Windows servers. If a remote user fails the check for Access this computer from the network, he is blocked at the door, regardless of what permissions he may have to any resources on the computer.

By default the special Everyone and/or Authenticated Users principal has “Access this computer from the network” on all versions of Windows which essentially disables this valuable line of defense. Ultimately, the default assignments give every users in the forest and any external, trusted domains this right. On workstations, perhaps you must enable the Server service on workstations to support system management and remote administration. But you can limit this right to appropriate SMS servers and administrators and thus completely block other end-users “at the door” from accessing workstation remotely. On departmental servers, you could use this right to limit network access to Administrators and members of the department.

The Deny access to this computer from the network right overrides this right.

Use of this right does not generate a Privilege Use event in the Windows security log but network logons do generate event ID 540/4624 with logon type 3.

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

More information at Logon Rights.

Upcoming Webinars

Additional Resources

User Rights In-Depth

•	Access from Network
•	Act as OS
•	Add Workstations
•	Adjust Memory Quotas
•	Allow log on locally
•	Allow Terminal Services logon
•	Backup Files & Directories
•	Bypass traverse checking
•	Change the system time
•	Create a pagefile
•	Create a token object
•	Create global objects
•	Permanent shared objects
•	Debug programs
•	Deny network access
•	Deny logon as a batch job
•	Deny logon as a service
•	Deny logon locally
•	Deny Terminal Services logon
•	Enable trusted for delegation
•	Force shutdown remotely
•	Generate security audits
•	Impersonate a client
•	Increase scheduling priority
•	Load and unload device drivers
•	Lock pages in memory
•	Log on as a batch job
•	Log on as a service
•	Manage auditing and security log
•	Modify firmware values
•	Volume maintenance
•	Profile single process
•	Profile system performance
•	Remove from docking station
•	Replace process level token
•	Restore files and directories
•	Shut down the system
•	Sync directory service data
•	Take ownership of files & objects

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.