Copyright notice: All information on this page are based on the recommendations made in the "Microsoft Windows Server 2003 Security Guide" at http://go.microsoft.com/fwlink/?LinkId=14845
Audit Policy
You can configure the Audit policy setting values in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
| Setting | Legacy Client | Enterprise Client | Specialized Security – Limited Functionality |
|---|---|---|---|
| Audit account logon events | Success | Success | Success Failure |
| Audit account management | Success | Success | Success Failure |
| Audit logon events | Success | Success | Success Failure |
| Audit object access | No Auditing | No Auditing | Failure |
| Audit policy change | Success | Success | Success |
| Audit privilege use | No Auditing | No Auditing | Failure |
| Audit process tracking | No Auditing | No Auditing | No Auditing |
| Audit system events | Success | Success | Success |
User Rights Assignments
User rights assignments provide users and groups with logon rights or privileges on the computers in your organization. An example of a logon right is the right to log on to a computer interactively. An example of a privilege is the right to shut down the computer. Both types are assigned by administrators to individual users or groups as part of the security settings for the computer.
Note: Throughout this section, "Not defined" applies only to users; Administrators still have the user right. Local administrators can make changes, but any domain-based Group Policy settings will override them the next time that the Group Policies are refreshed or reapplied.
You can configure the user rights assignment settings in Windows Server 2003 with SP1 at the following location within the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
The following table includes the user rights assignments setting recommendations for all three environments that are defined on this page.
| Setting | Legacy Client | Enterprise Client | Specialized Security – Limited Functionality |
|---|---|---|---|
| Access this computer from the network | Not defined | Not defined | Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS |
| Act as part of the operating system | Not defined | Not defined | No one |
| Adjust memory quotas for a process | Not defined | Not defined | Administrators, NETWORK SERVICE, LOCAL SERVICE |
| Allow log on locally | Administrators, Backup Operators, Power Users | Administrators, Backup Operators, Power Users | Administrators |
| Allow log on through Terminal Services | Administrators and Remote Desktop Users | Administrators and Remote Desktop Users | Administrators |
| Back up files and directories | Not defined | Not defined | Administrators |
| Bypass traverse checking | Not defined | Not defined | Authenticated Users |
| Change the system time | Not defined | Not defined | Administrators,LOCAL SERVICE |
| Create a pagefile | Not defined | Not defined | Administrators |
| Create a token object | Not defined | Not defined | No one |
| Create global objects | Not defined | Not defined | Administrators, SERVICE |
| Create permanent shared objects | Not defined | Not defined | No one |
| Debug programs | Not defined | Administrators | No one |
| Deny access to this computer from the network | ANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts | ANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts | ANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts |
| Deny logon as a batch job | Guests; Support_388945a0 | Guests; Support_388945a0 | Guests; Support_388945a0; |
| Deny logon as a service | Not defined | Not defined | No one |
| Deny logon locally | Not defined | Not defined | Guests; Support_388945a0; |
| Deny logon through Terminal Services | Guests | Guests | Guests |
| Enable computer and user accounts to be trusted for delegation | Not defined | Not defined | Administrators |
| Force shutdown from a remote system | Not defined | Not defined | Administrators |
| Generate security audits | Not defined | Not defined | NETWORK SERVICE, LOCAL SERVICE |
| Impersonate a client after authentication | Not defined | Not defined | Administrators, SERVICE |
| Increase scheduling priority | Not defined | Not defined | Administrators |
| Load and unload device drivers | Not defined | Not defined | Administrators |
| Lock pages in memory | Not defined | Not defined | No one |
| Log on as a batch job | Not defined | Not defined | Not defined |
| Log on as a service | Not defined | Not defined | NETWORK SERVICE |
| Manage auditing and security log | Not defined | Not defined | Administrators |
| Modify firmware environment values | Not defined | Not defined | Administrators |
| Perform volume maintenance tasks | Not defined | Not defined | Administrators |
| Profile single process | Not defined | Not defined | Administrators |
| Profile system performance | Not defined | Not defined | Administrators |
| Remove computer from docking station | Not defined | Not defined | Administrators |
| Replace a process level token | Not defined | Not defined | LOCAL SERVICE, NETWORK SERVICE |
| Restore files and directories | Not defined | Not defined | Administrators |
| Shut down the system | Not defined | Not defined | Administrators |
| Synchronize directory service data | Not defined | Not defined | No one |
| Take ownership of files or other objects | Not defined | Not defined | Administrators |