Show Applies to
Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
Warning If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. ReferenceThe Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by many network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Users, devices, and service accounts gain or lose the Access this computer from network user right by being explicitly or implicitly added or removed from a security group that has been granted this user right. For example, a user account or a machine account may be explicitly added to a custom security group or a built-in security group, or it may be implicitly added by Windows to a computed security group such as Domain Users, Authenticated Users, or Enterprise Domain Controllers. By default, user accounts and machine accounts are granted the Access this computer from network user right when computed groups such as Authenticated Users, and for domain controllers, the Enterprise Domain Controllers group, are defined in the default domain controllers Group Policy Object (GPO). Constant: SeNetworkLogonRight Possible values
Best practices
LocationComputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Default valuesThe following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Policy managementWhen you modify this user right, the following actions might cause users and services to experience network access issues:
A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Group PolicySettings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
When a local setting is greyed out, it indicates that a GPO currently controls that setting. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. VulnerabilityUsers who can connect from their device to the network can access resources on target devices for which they have permission. For example, the Access this computer from the network user right is required for users to connect to shared printers and folders. If this user right is assigned to the Everyone group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 don't include the Everyone group. However, if a device is upgraded and the original device includes the Everyone group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device. CountermeasureRestrict the Access this computer from the network user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the Administrators and Users groups, users who sign in to the domain can access resources that are shared from servers in the domain if members of the Domain Users group are included in the local Users group.
Potential impactIf you remove the Access this computer from the network user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network. If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This outage is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR isn't a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. User Rights Assignment
What's the difference between authentication and authorization? Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource. While authentication and authorization might sound similar, they are distinct security processes in the world of identity and access management (IAM). What Is Authentication?Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process. Complete an authentication process with:
In some instances, systems require the successful verification of more than one factor before granting access. This multi-factor authentication (MFA) requirement is often deployed to increase security beyond what passwords alone can provide. What Is Authorization?Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege. Giving someone permission to download a particular file on a server or providing individual users with administrative access to an application are good examples of authorization. In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources. Authentication vs. AuthorizationDespite the similar-sounding terms, authentication and authorization are separate steps in the login process. Understanding the difference between the two is key to successfully implementing an IAM solution. Let's use an analogy to outline the differences. Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation. That person needs:
Authentication and authorization work together in this example. A pet sitter has the right to enter the house (authentication), and once there, they have access to certain areas (authorization).
Systems implement these concepts in the same way, so it’s crucial that IAM administrators understand how to utilize both:
Understand the difference between authentication and authorization, and implement IAM solutions that have strong support for both. You will protect your organization against data breaches and enable your workforce to be more productive. Granting Permissions with OktaOkta Lifecycle Management gives you an at-a-glance view of user permissions, meaning you can easily grant and revoke access to your systems and tools as needed. Meanwhile, Okta Adaptive MFA lets you safeguard your infrastructure behind your choice of authentication factors. For example, make production orders accessible only to certain users who may then have to authenticate using both their company credentials and voice recognition. The opportunities to streamline IAM in your organization are endless. Find out how Okta can keep you, your employees, and your enterprise safe. |