2.2.19 Ensure 'Deny log on as a service' is set to include 'Guests'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This security setting determines which service accounts are prevented from registering a process as a service.

This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

The recommended state for this setting is to include: 'Guests'.

Note: This security setting does not apply to the System, Local Service, or Network Service accounts.

Solution

To establish the recommended configuration via GP, set the following UI path to include 'Guests':

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service

See Also

https://workbench.cisecurity.org/files/1941