STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2019 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Windows Server 2019 Kerberos user logon restrictions must be enforced.

DISA Rule

SV-205702r569188_rule

Vulnerability Number

V-205702

Group Title

SRG-OS-000112-GPOS-00057

Rule Version

WN19-DC-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled".

Check Contents

This applies to domain controllers. It is NA for other systems.

Verify the following is configured in the Default Domain Policy:

Open "Group Policy Management".

Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain).

Right-click on the "Default Domain Policy".

Select "Edit".

Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.

If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.

Vulnerability Number

V-205702

Documentable

False

Rule Version

WN19-DC-000020

Severity Override Guidance

This applies to domain controllers. It is NA for other systems.

Verify the following is configured in the Default Domain Policy:

Open "Group Policy Management".

Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain).

Right-click on the "Default Domain Policy".

Select "Edit".

Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.

If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.

Check Content Reference

M

Target Key

2907

Comments