STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021: STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:SV-226371r569184_rule
V-226371
SRG-OS-000080-GPOS-00048
WN12-UR-000002-DC
CAT II
10
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Access this computer from the network" to only include the following accounts or groups:
Administrators
Authenticated Users
Enterprise Domain Controllers
Severity Override Guidance: If an application requires this user right, this can be downgraded to not a finding if the following conditions are met:
- Vendor documentation must support the requirement for having the user right.
- The requirement must be documented with the ISSO.
- The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662).
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding:
Administrators
Authenticated Users
Enterprise Domain Controllers
V-226371
False
WN12-UR-000002-DC
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding:
Administrators
Authenticated Users
Enterprise Domain Controllers
M
4217