2.2.17 Configure 'Deny access to this computer from the network'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely.

In high security environments, there should be no need for remote users to access data on a computer.

Instead, file sharing should be accomplished through the use of network servers.

- Level 1 - Domain Controller. The recommended state for this setting is to include: ''Guests, Local account''.

- Level 1 - Member Server. The recommended state for this setting is to include: 'Guests, Local account and member of Administrators group'.

Caution: Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely administer the server.

Note: Configuring a member server or standalone server as described above may adversely affect applications that create a local service account and place it in the Administrators group - in which case you must either convert the application to use a domain-hosted service account, or remove 'Local account and member of Administrators' group from this User Right Assignment.

Using a domain-hosted service account is strongly preferred over making an exception to this rule, where possible.

Solution

To establish the recommended configuration via GP, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network

See Also

https://workbench.cisecurity.org/files/1941