Windows Server 2003 Security Guide - The Member Server Baseline Policy

An overview of all options and settings available in the Windows audit policy and user rights assignments.

Copyright notice: All information on this page are based on the recommendations made in the "Microsoft Windows Server 2003 Security Guide" at http://go.microsoft.com/fwlink/?LinkId=14845

Audit Policy

You can configure the Audit policy setting values in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

SettingLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality
Audit account logon eventsSuccessSuccessSuccess Failure
Audit account managementSuccessSuccessSuccess Failure
Audit logon eventsSuccessSuccessSuccess Failure
Audit object accessNo AuditingNo AuditingFailure
Audit policy changeSuccessSuccessSuccess
Audit privilege useNo AuditingNo AuditingFailure
Audit process trackingNo AuditingNo AuditingNo Auditing
Audit system eventsSuccessSuccessSuccess

User Rights Assignments

User rights assignments provide users and groups with logon rights or privileges on the computers in your organization. An example of a logon right is the right to log on to a computer interactively. An example of a privilege is the right to shut down the computer. Both types are assigned by administrators to individual users or groups as part of the security settings for the computer.

Note: Throughout this section, "Not defined" applies only to users; Administrators still have the user right. Local administrators can make changes, but any domain-based Group Policy settings will override them the next time that the Group Policies are refreshed or reapplied.

You can configure the user rights assignment settings in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following table includes the user rights assignments setting recommendations for all three environments that are defined on this page.

SettingLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality
Access this computer from the networkNot definedNot definedAdministrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS
Act as part of the operating systemNot definedNot definedNo one
Adjust memory quotas for a processNot definedNot definedAdministrators, NETWORK SERVICE, LOCAL SERVICE
Allow log on locallyAdministrators, Backup Operators, Power UsersAdministrators, Backup Operators, Power UsersAdministrators
Allow log on through Terminal ServicesAdministrators and Remote Desktop UsersAdministrators and Remote Desktop UsersAdministrators
Back up files and directoriesNot definedNot definedAdministrators
Bypass traverse checkingNot definedNot definedAuthenticated Users
Change the system timeNot definedNot definedAdministrators,LOCAL SERVICE
Create a pagefileNot definedNot definedAdministrators
Create a token objectNot definedNot definedNo one
Create global objectsNot definedNot definedAdministrators, SERVICE
Create permanent shared objectsNot definedNot definedNo one
Debug programsNot definedAdministratorsNo one
Deny access to this computer from the networkANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accountsANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accountsANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts
Deny logon as a batch jobGuests; Support_388945a0Guests; Support_388945a0Guests; Support_388945a0;
Deny logon as a serviceNot definedNot definedNo one
Deny logon locallyNot definedNot definedGuests; Support_388945a0;
Deny logon through Terminal ServicesGuestsGuestsGuests
Enable computer and user accounts to be trusted for delegationNot definedNot definedAdministrators
Force shutdown from a remote systemNot definedNot definedAdministrators
Generate security auditsNot definedNot definedNETWORK SERVICE, LOCAL SERVICE
Impersonate a client after authenticationNot definedNot definedAdministrators, SERVICE
Increase scheduling priorityNot definedNot definedAdministrators
Load and unload device driversNot definedNot definedAdministrators
Lock pages in memoryNot definedNot definedNo one
Log on as a batch jobNot definedNot definedNot defined
Log on as a serviceNot definedNot definedNETWORK SERVICE
Manage auditing and security logNot definedNot definedAdministrators
Modify firmware environment valuesNot definedNot definedAdministrators
Perform volume maintenance tasksNot definedNot definedAdministrators
Profile single processNot definedNot definedAdministrators
Profile system performanceNot definedNot definedAdministrators
Remove computer from docking stationNot definedNot definedAdministrators
Replace a process level tokenNot definedNot definedLOCAL SERVICE, NETWORK SERVICE
Restore files and directoriesNot definedNot definedAdministrators
Shut down the systemNot definedNot definedAdministrators
Synchronize directory service dataNot definedNot definedNo one
Take ownership of files or other objectsNot definedNot definedAdministrators

Tags: 

You might also be interested in...