I was doing some cleanup on our file server yesterday and ran across something odd. One of our users had a user profile on the file server. I checked the server groups, and sure enough Domain Users was in the local Users group on the server. I removed this and deleted the user profile. But i also noticed that NT Authority\INTERACTIVE (S-1-5-4) and NT Authority\Authenticated Users (S-1-5-11) were also in the local Users group on the server.
Now i am not anywhere near as versed on security as i need to be and am trying to bone up as quickly as i can. But it seems odd to me that these two groups are in the local Users group on the server. Dont these groups allow any user to log onto the server directly? Are these necessary for file access if using domain ACLs on the shares? (OS is Server 2008 R2 x64 in a windows domain).
Leave aside the fact that Domain Users was present in the same group. That was probably my mistake at some point. And i will ask the user why he was logging into the server remotely. He should not have been. But i really would like to secure our systems better. And sometimes i get really confused on what is default, what is best practice, and what is just plain stupid.
Any advice would be appreciated.