Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Server Security > Re: Questions on Authenticated Users and Access This Computer From Network User Right

Reply
Thread Tools Display Modes

Re: Questions on Authenticated Users and Access This Computer From Network User Right

 
 
Roger Abell [MVP]
Guest
Posts: n/a

 
      07-03-2006

"Will" <> wrote in message
news:CIKdnVveCsHG-...
> Microsoft KB 823659 implies that Authenticated Users is equivalent to
> Users,
> Computers, and Service accounts. I have two questions on this:
>
> 1) If I want to remove Authenticated Users from the User right "Access
> this
> computer from network" then what are the entities that should be used
> instead of Authenticated Users?


Access this computer from network:
This user right can be void. There is no need to grant access to any
account.
You determine who/what you want to allow.

> I am guessing at minimum I need these:
>
> Domain Users
> Domain Computers
> Network Service
>
> Let's assume for now that I only want users in a single domain to have
> access to the shares.
>


If you want only the users from domain X to have access then
the user right would be granted to X\Domain Users only.
Network Service would not be used unless you wanted the machine
itself to access its own shares via a network connection.
Domain Computers would only be used if you wanted to allow
processes running as Local System or Network Service on any
machine in the domain whose Domain Computers group is use.
Use of a grant of this right to Domain Computers is highly unusual,
but is used for such as access to startup scripts or to where info
is written during startup.

> Does Authenticated Users cover other cases (yes, I do realize it covers
> users in other domains of the same forest)?
>


Authenticated Users represents any account in the forest except Guest
accounts (and Anonymous which is not authenticated)

> 2) Microsoft KB 823659 implies without saying it clearly that *member
> servers* need to have the Authenticated Users" added to the "Access this
> computer from network".


I do not see such implication.
As said before, the right only needs to be granted to what you want
to have network access (to shares/printer), and Authenticated Users
is almost every forest account. So, if you wanted all except Guest
accounts in the forest, except Anonymous, to have access then one
would use such a grant.
This is contrary to normal use guided by the principal of least privilege.
Grant the right to what is entitled, what has a valid, defined need for
the access.

> The sentence that throws me off is the very first
> sentence of 823659 under the "Access this computer from network" section
> heading:
>
> "The ability to interact with remote Windows computers requires the Access
> this computer from network user right."
>


.. . . as validated, i.e. authorized at the machine where the user
right is to be used . . .
Authoriztion to access is checked at the point of access, so the right needs
to be in the user token on that machine, meaning the right needs to be
granted
on that machine - not the accessed from machine where the same account
has a token used for authorization checks on that access-from machine.

> This sentence seems to be written from the perspective of the client
> computer, not the server.


I guess that view is relative to reader supplied context.

> Does the client computer on a network that
> needs to access a share on a file server need to include all of the same
> elements in "Access this computer from network" that the file server does?


I believe the answer should be clear by now. No.

> If the answer is no, Microsoft really needs to rewrite this entire
> document
> and supply a different list of recommended entries based on the role of
> the
> computer on the network.
>


Try rereading with the above added clarifications, keeping in mind that
when a account is authorized at each different machine by establishing
a connection the basic user token is adjusted to represent authorization
on that specific machine.


 
Reply With Quote
 
 
 
 
Roger Abell [MVP]
Guest
Posts: n/a

 
      07-03-2006
"Will" <> wrote in message
news: ...
>
> "Roger Abell [MVP]" <> wrote in message
> news:...
>> If you want only the users from domain X to have access then
>> the user right would be granted to X\Domain Users only.
>> Network Service would not be used unless you wanted the machine
>> itself to access its own shares via a network connection.
>> Domain Computers would only be used if you wanted to allow
>> processes running as Local System or Network Service on any
>> machine in the domain whose Domain Computers group is use.
>> Use of a grant of this right to Domain Computers is highly unusual,
>> but is used for such as access to startup scripts or to where info
>> is written during startup.

>
> What about for replicating machine group policy from the domain controller
> to the member server? Isn't that replication being done by some service
> that runs as Local System or Network Service
>


Will, that is the grants on the DC that are involved, and in general,
unless you know pretty well the architecture of AD you would be
well off not fooling with the settings on a DC.

>
>> > Does the client computer on a network that
>> > needs to access a share on a file server need to include all of the
>> > same
>> > elements in "Access this computer from network" that the file server

> does?
>>
>> I believe the answer should be clear by now. No.

>
> So on the typical member server, what should be in the list of users in
> the
> "Access this computer from the network" user right? It should be empty?
>


It all depends on what roles are filled by the member.
For example, an SQL server might have need for no grants of this,
whereas an organizations' fileservers or printservers certainly would.

>
>> > If the answer is no, Microsoft really needs to rewrite this entire
>> > document
>> > and supply a different list of recommended entries based on the role of
>> > the
>> > computer on the network.

>>
>> Try rereading with the above added clarifications, keeping in mind that
>> when a account is authorized at each different machine by establishing
>> a connection the basic user token is adjusted to represent authorization
>> on that specific machine.

>
> I still think the Microsoft KB article, as written, does a poor job of
> explaining that the client side settings will different from the server
> side, and it should be written to supply an explicit recommendation about
> what users or groups to add to this privilege on client computers.
>


Perhaps, but generally, in an enterprise, clients do not share and so
have no need for any account to be granted this right, given that there
is distinct preference for server-based storage and print queueing.



 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authenticated Users and Builtin Users Kevin Gallagher Active Directory 6 07-22-2009 03:09 PM
users vs authenticated users James Server Security 2 11-17-2008 07:01 PM
Authenticated users Create Child Objects right gordonah DNS Server 2 10-05-2004 10:47 AM
Authenticated users not gaining Directory Service Access PacSec Active Directory 0 08-25-2004 07:06 PM
Difference between Authenticated users and everyone users Ross Active Directory 3 12-01-2003 10:14 PM