STIGQter STIGQter: STIG Summary: Windows 2008 Member Server Security Technical Implementation Guide Version: 6 Release: 43 Benchmark Date: 26 Jul 2019: The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.

DISA Rule

SV-47123r1_rule

Vulnerability Number

V-26484

Group Title

Deny log on as service

Rule Version

WINUR-000019-MS

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a service" to include the following for domain joined systems.

Enterprise Admins Group
Domain Admins Group

Configure the "Deny log on as a service" for non-domain systems to include no entries (blank).

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> User Rights Assignment.

If the following accounts or groups are not defined for the "Deny log on as a service" right on domain joined systems, this is a finding:

Enterprise Admins Group
Domain Admins Group

If any accounts or groups are defined for the "Deny log on as a service" right on non-domain joined systems, this is a finding.

Vulnerability Number

V-26484

Documentable

False

Rule Version

WINUR-000019-MS

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> User Rights Assignment.

If the following accounts or groups are not defined for the "Deny log on as a service" right on domain joined systems, this is a finding:

Enterprise Admins Group
Domain Admins Group

If any accounts or groups are defined for the "Deny log on as a service" right on non-domain joined systems, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1340

Comments