What's the sense in having RemoteDesktopUsers without "log on through Remote Desktop Services" privilege? [closed]

Recently Microsoft changed the default policies in Windows Azure Guest OSs (Windows 2008, Windows 2008 R2 and Windows 2012). One of the changes is that now only members of Administrators group have "Allow log on through Remote Desktop Services" and member of RemoteDesktopUsers no longer have the privilege.

Now how does it make sense? RemoteDesktopUsers is the group intended to allow logon via Remote Desktop and if this privilege is revoked the group makes no sense.

What's the sense in having RemoteDesktopUsers without "log on through Remote Desktop Services" privilege?


Solution 1:

I guess the idea is to offer a more locked down version out of the box.

The group as you mention doesn't make sense since that is its sole purpose , but you'll notice that this is exactly what they've done in this update on several other policies as well.

As an example

Allow log on locally: From: Administrators, Users, BackupOperators To: Administrators

And

Behavior of the elevation prompt for standard users From: Prompt for credentials on the secure desktop To: Prompt for credentials.

So as a default policy they are trying to push to an Admin only environment by default. Why? Because they want to shrink the attack surface by making privilege escalation harder.

There's a conversation to be had whether eliminating default groups/users is actually effective and whether their security policies make sense .

Another reason might be hidden between the lines

[..]have been implemented to meet security and compliance recommendations. where sometimes common sense is devoured.