Deny Access to This Computer From the Network – Best Practices for DC and Member Server

By Keren Pollack, on May 18th, 2021

Setting which group of users will be denied from accessing the computer from the network is a fundamental step in a hardening project. Hardening can be a painful procedure when done in complex environments. If you are reading this article, you probably know it. Endless hours and resources are invested in this task. However, despite the efforts, hardening often causes downtime. In fact, over 60% of IT professionals report they’ve experienced downtime while trying to harden their infrastructure*.

 

After years of hardening using the traditional manual tools, we concluded that using hardening automation tools is essential for achieving a successful hardening project and a good compliance posture. Learn more about server hardening automation.

 

This post aims to provide basic information and configuration recommendations for setting ‘Access this computer from network’ rules. After deciding your policy, make sure to test it before enforcing it, to make sure it will not cause damage.

This blog post will cover:

  1. Deny access to this computer from the network- what does it mean?
  2. Deny access to this computer from the network – potential vulnerability
  3. Countermeasures
  4. The potential impact of configuration change
  5. How to change the ‘Deny access to this computer from the network’ setting

Access and Deny Access to This Computer From the Network

Deny access to this computer from the network- what does it mean?

This policy restricts user groups from connecting to a computer from the network. Misconfiguring this setting will allow users to access and modify data remotely. It is recommended to use network servers for file sharing when needed.

 

It is important to identify between this rule and ‘Access this computer from the network’. ‘Deny access to this computer from the network’ user right supersedes the ‘Access this computer from the network’ user right in case an account is subject to both.

 

Deny access to this computer from the network – potential vulnerability:

It is recommended to deny access from Guests, to have control over which users can log on to the computer over the network. Users with access through the network can enumerate lists of account names, group names, and shared resources. In addition, access to shared folders and files can result in exposure to modify data.

 

Countermeasures:

There are 4 cases to consider when deciding which users will be denied access:

End Points – deny access from Anonymous Logon, Built-in Local Administrator Account, Local Guests, all Service Accounts.

Domain Controllers- deny access from Gusts.

Member Servers – deny access from Guests, local accounts, and members of the Administrator group.

securing Active Directory when anonymous users must have access

 

The potential impact of configuration change:

The potential consequence of configuring a non-domain-joined server as recommended above is the inability to administer the server remotely.

Another possible impact is relevant both for a non-domain-joined server and a member server. The potential impact will be affecting applications that create a local service account and place it in the Administrators group. In this case, it is better to adjust the application so that it will use a domain-hosted service account. Another option is to make an exception to this rule by removing Local account and member of Administrators group from this setting. Using a domain-hosted service account is preferable where possible.

 

 

How to change the ‘Deny access to this computer from the network’ configuration:

UI path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network

 

The biggest challenge in setting who can access and who must be denied from accessing a computer from the network is enhancing security without causing damage to system components functionality. Therefore, before implementing any change of these policies, you must conduct impact analysis.

 

The best approach for conducting an impact analysis is to use hardening automation tools for automatically generating impact reports. Hardening automation tools will let you skip the impact analysis procedure and generate a detailed report on what will be the impact of each policy change and why. Investing in these tools will minimize the risk for production outages and save you time and resources invested in testing. Learn how CalCom hardening automation solutions can automatically generate an impact analysis report.