Review User Rights and Security Options

15 Review and evaluate the use of user rights and security options assigned to the elements in the security policy settings.

The default installation of Windows Server 2003 has 39 user rights settings and 70 security options. These settings and options allow broad, sweeping, and powerful changes to how the host will behave under many different situations.


Be very careful here. It is possible to lock yourself out, disable critical internal processes, and limit necessary functionality. It's strongly recommended that you thoroughly test any changes you make here in a test environment with any applications that may even possibly depend on the settings running on the system.


you'll find the security policies as they affect your system by typing rsop.msc or secpol.msc at the command line. After the GUI opens, select Computer Configuration | Windows Settings | Local Policies. Remember that you can export these settings by right clicking the folder icon and selecting "Export."

Evaluate the settings you have here with the policies you have for your organization. There are several guides suggesting recommended settings, including Microsoft's website, the built-in security templates, the Center for Information Security guides (, and of course, SANS ( The bottom line here is that you need to decide what your organization is looking to accomplish and audit against these settings. If your organization isn't using these settings at all, then you should take the initiative to spearhead a project to look into these settings. Here are some common settings for both.

Common security options include

  • Renaming guest and administrator accounts

  • Disabling the guest account

  • Choosing not to display the last logged on user

  • Prompting the user to change the password before expiration

  • Refusing enumeration of SAM accounts and shares by anonymous

  • Refusing to store network credentials (Be careful with this!)

  • Changing local-area network (LAN) manager responses (Be careful with this!)

Common user rights assignments include

  • Changing who can access the computer across the network

  • Defining who can log on locally

  • Denying access to the computer from the network

  • Denying logon through terminal services

  • Defining who can take ownership of file or other objects

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: