In the User Manager for Domains, check the rights that users and groups have on the system. Choose User Rights from the Policies menu to display the User Rights Policy dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the Show Advanced User Rights option. Here are some considerations for basic rights:
Access this computer from the network By default, only the Administrators and the Everyone group have this right. Remove the Everyone group (why would you want everyone to access this server from the network if you are interested in security?), then add specific groups as appropriate. For example, create a new group called "Network Users" with this right, then add users who should have network access.
Backup files and directories User's with this right can potentially carry any files off-site. Carefully evaluate which users and groups have this right. Also evaluate the Restore files and directories right.
Log on locally For servers, only administrators should have this right. No regular user ever needs to logon directly to the server itself. By default, the administrative groups (Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member of these groups has a separate management account.
Manage auditing and security logs Only the Administrators group should have this right.
Take ownership of files or other objects Only the Administrators group should have this right.
Scan all the advanced rights to make sure that a user has not been granted rights inappropriately. Some rights should only be assigned to the System account. A rogue administrator might manage to grant himself inappropriate rights and gain extended privileges on the system.
Internet FAQ top