Q

Is there a flaw in Win2k Server's security?

Yesterday, in a Windows 2000 Server class, we discovered that Windows 2000 Server evaluation copy (with SP3 installed) permitted someone who was a member of the users group to log on locally. Under Local Security, we changed security to Deny Logon Locally to the users group. To our surprise, not even the administrator could log on locally when computer was rebooted. Is this a flaw in Windows 2000 Server's security?
There are three essential Windows principles that come into play here. First, by default, every new user created is a member of the users group. Second, administrators, who are members of the users group, can log on locally to a default Windows 2000 server. Other users such as server operators, account operators, etc., can also log on. However, users who are just users cannot.

Please check your statement above. I have never seen this to be a problem in a default install. Unless a user has

some administrative responsibility, or is explicitly given the right to logon locally he/she cannot logon to a server locally. To a workstation -- yes.

Who was the user that could log on? By default, right after install, there is only one user who can logon locally -- the administrator -- as that is the only account. Did you create an account? And then attempt to log on? What privileges or group membership did you give this user account?

Third: the Deny Logon Locally right takes precedence, as do most deny rights, over any "allow" rights. Here's how most privileges work. If you are explicitly given a privilege, you have it. Otherwise, you are implicitly denied. If you are explicitly denied, then any explicit "allows" don't count. So, yes, if you "Deny" logon to the users group, you deny logon to every member, even if you explicitly allow logon.

So, no, this is not a flaw in Windows 2000 server security. It is acting as it was designed, and as most security gurus would want it: deny overrides allow. We want security to fail closed. In information security it's far better that an innocent be kept out of a resource they maybe should get access to, than that an attacker accidentally get access to somewhere they shouldn't be.

This was first published in March 2003

Dig deeper on Windows legacy operating systems

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close