- Allow log on locally — security policy setting
- Reference
- Possible values
- Best practices
- Location
- Default values
- Policy management
- Group Policy
- Security considerations
- Vulnerability
- Countermeasure
- Запретить локальный вход Deny log on locally
- Справочные материалы Reference
- Возможные значения Possible values
- Рекомендации Best practices
- Location Location
- Значения по умолчанию Default values
- Управление политикой Policy management
- Групповая политика Group Policy
- Вопросы безопасности Security considerations
- Уязвимость Vulnerability
- Противодействие Countermeasure
- Возможное влияние Potential impact
- Turn on automatic logon in Windows
- Use Registry Editor to turn on automatic logon
Allow log on locally — security policy setting
Applies to
Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
Reference
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
Note:В В Users who do not have this right are still able to start a remote interactive session on the device if they have the Allow logon through Remote Desktop Services right.
Possible values
- User-defined list of accounts
- Not Defined
By default, the members of the following groups have this right on workstations and servers:
- Administrators
- Backup Operators
- Users
By default, the members of the following groups have this right on domain controllers:
- Account Operators
- Administrators
- Backup Operators
- Print Operators
- Server Operators
Best practices
- Restrict this user right to legitimate users who must log on to the console of the device.
- If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.
Location
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy | Not Defined |
Default Domain Controller Policy | Account Operators Administrators Backup Operators Print Operators Server Operators |
Stand-Alone Server Default Settings | Administrators Backup Operators Users |
Domain Controller Effective Default Settings | Account Operators Administrators Backup Operators Print Operators Server Operators |
Member Server Effective Default Settings | Administrators Backup Operators Users |
Client Computer Effective Default Settings | Administrators Backup Operators Users |
Policy management
Restarting the device is not required to implement this change.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller’s policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices. If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the Allowed logon locally system right or grant the right to that user account. The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain. If the Users group is listed in the Allow log on locally setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member.
Group Policy
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
- Local policy settings
- Site policy settings
- Domain policy settings
- OU policy settings
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
Any account with the Allow log on locally user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
Countermeasure
For domain controllers, assign the Allow log on locally user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group. Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the Deny log on locally user right.
Запретить локальный вход Deny log on locally
Область применения Applies to
В этой статье описываются лучшие методики, расположение, значения, **** управление политиками и вопросы безопасности для параметра локальной политики безопасности «Запретить вход». Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
Справочные материалы Reference
Этот параметр политики определяет, какие пользователи не могут войти непосредственно в консоль устройства. This policy setting determines which users are prevented from logging on directly at the device’s console.
Константа: SeDenyInteractiveLogonRight Constant: SeDenyInteractiveLogonRight
Возможные значения Possible values
- Определяемый пользователей список учетных записей User-defined list of accounts
- Не определено Not defined
Рекомендации Best practices
- Назначьте локальному пользователю право запретить вход в систему локальной гостевой учетной записи, чтобы ограничить доступ потенциально неавторизованной учетной записи. Assign the Deny log on locally user right to the local guest account to restrict access by potentially unauthorized users.
- Проверьте изменения этого параметра политики в **** сочетании с параметром локальной политики «Разрешить вход в систему», чтобы определить, подчиняется ли учетная запись пользователя обеим политикам. Test your modifications to this policy setting in conjunction with the Allow log on locally policy setting to determine if the user account is subject to both policies.
Location Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Значения по умолчанию Default values
В следующей таблице перечислены фактические и эффективные значения политики по умолчанию для последних поддерживаемых версий Windows. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Значения по умолчанию также можно найти на странице свойств политики. Default values are also listed on the policy’s property page.
Тип сервера или объект групповой политики Server type or GPO | Значение по умолчанию Default value |
---|---|
Default Domain Policy Default Domain Policy | Не определено Not defined |
Политика контроллера домена по умолчанию Default Domain Controller Policy | Не определено Not defined |
Параметры по умолчанию для автономного сервера Stand-Alone Server Default Settings | Не определено Not defined |
Действующие параметры по умолчанию для контроллера домена Domain Controller Effective Default Settings | Не определено Not defined |
Действующие параметры по умолчанию для рядового сервера Member Server Effective Default Settings | Не определено Not defined |
Действующие параметры по умолчанию для клиентского компьютера Client Computer Effective Default Settings | Не определено Not defined |
Управление политикой Policy management
В этом разделе описаны компоненты, средства и рекомендации, которые помогут в управлении этой политикой. This section describes features, tools, and guidance to help you manage this policy.
Перезапуск устройства не требуется для того, чтобы этот параметр политики был эффективным. A restart of the device is not required for this policy setting to be effective.
Изменения прав пользователя вступают в силу при его следующем входе в учетную запись. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Если применить этот параметр политики к группе «Все», никто не сможет войти локально. If you apply this policy setting to the Everyone group, no one will be able to log on locally.
Групповая политика Group Policy
Этот параметр политики перемежает параметр локальной политики «Разрешить вход в систему», если к учетной записи пользователя налагаются обе политики. **** This policy setting supersedes the Allow log on locally policy setting if a user account is subject to both policies.
Параметры применяются в следующем порядке с помощью объекта групповой политики (GPO), который будет перезаписывать параметры на локальном компьютере при следующем обновлении групповой политики: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
- Параметры локальной политики Local policy settings
- Параметры политики сайта Site policy settings
- Параметры политики домена Domain policy settings
- Параметры политики подразделения OU policy settings
Если локальный параметр затеняется, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is greyed out, it indicates that a GPO currently controls that setting.
Вопросы безопасности Security considerations
В этом разделе описывается, каким образом злоумышленник может использовать компонент или его конфигурацию, как реализовать меры противодействия, а также рассматриваются возможные отрицательные последствия их реализации. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Уязвимость Vulnerability
Для входа в консоль устройства можно использовать любую учетную запись с возможностью локального входа. Any account with the ability to log on locally could be used to log on at the console of the device. Если это право пользователя не ограничено только законными пользователями, которым необходимо войти в консоль устройства, неавторизованные пользователи могут скачать и запустить вредоносное ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ, которое повышает их права. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights.
Противодействие Countermeasure
Назначьте локальному пользователю право «Запретить вход» локальной гостевой учетной записи. Assign the Deny log on locally user right to the local Guest account. Если установлены необязательные компоненты, например ASP.NET, может потребоваться назначить это право пользователю дополнительным учетным записям, которые необходимы этим компонентам. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
Возможное влияние Potential impact
Если вы **** назначите право «Запретить вход на локальном компьютере» дополнительным учетным записям, можно ограничить возможности пользователей, которым назначены определенные роли в вашей среде. If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. Однако это право пользователя должно быть явно назначено учетной записи ASPNET на устройстве, настроенном с ролью веб-сервера. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. Необходимо подтвердить, что делегирование действий не оказывает отрицательного влияния. You should confirm that delegated activities are not adversely affected.
Turn on automatic logon in Windows
This article describes how to configure Windows to automate the logon process by storing your password and other pertinent information in the registry database. By using this feature, other users can start your computer and use the account that you establish to automatically log on.
Original product version: В Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number: В 324737
The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer’s contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. The specific registry key that stores this value can be remotely read by the Authenticated Users group. This setting is recommended only for cases in which the computer is physically secured and steps have been taken to make sure that untrusted users cannot remotely access the registry.
Use Registry Editor to turn on automatic logon
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
To use Registry Editor to turn on automatic logon, follow these steps:
Click Start, and then click Run.
In the Open box, type Regedit.exe, and then press Enter.
Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey in the registry.
Double-click the DefaultUserName entry, type your user name, and then click OK.
Double-click the DefaultPassword entry, type your password, and then click OK.
If the DefaultPassword value does not exist, it must be added. To add the value, follow these steps:
On the Edit menu, click New, and then point to String Value.
Type DefaultPassword, and then press Enter.
Double-click DefaultPassword.
In the Edit String dialog, type your password and then click OK.
If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.
On the Edit menu, click New, and then point to String Value.
Type AutoAdminLogon, and then press Enter.
Double-click AutoAdminLogon.
In the Edit String dialog box, type 1 and then click OK.
If you have joined the computer to a domain, you should add the DefaultDomainName value, and the data for the value should be set as the fully qualified domain name (FQDN) of the domain, for example contoso.com. .
Exit Registry Editor.
Click Start, click Shutdown, and then type a reason in the Comment text box.
Click OK to turn off your computer.
Restart your computer. You can now log on automatically.
- To bypass the AutoAdminLogon process and to log on as a different user, press and hold the Shift key after you log off or after Windows restarts.
- This registry change does not work if the Logon Banner value is defined on the server either by a Group Policy object (GPO) or by a local policy. When the policy is changed so that it does not affect the computer, the autologon feature works as expected.
- When Exchange Active Sync (EAS) password restrictions are active, the autologon feature does not work. This behavior is by design. This behavior is caused by a change in Windows 8.1 and does not affect Windows 8 or earlier versions. To work around this behavior in Windows 8.1 and later versions, remove the EAS policies in Control Panel.
- An interactive console logon that has a different user on the server changes the DefaultUserName registry entry as the last logged-on user indicator. AutoAdminLogon relies on the DefaultUserName entry to match the user and password. Therefore, AutoAdminLogon may fail. You can configure a shutdown script to set the correct DefaultUserName.
- You can use the Sysinternals tool AutoLogon to enable this functionality easier. This tool also helps you to use an encrypted version of password.