2.2.18 Ensure 'Deny log on as a batch job' is set to 'Guests'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines which accounts will not be able to log on to the computer as a batch job.

A batch job is not a batch (.bat) file, but rather a batch-queue facility.

Accounts that use the Task Scheduler to schedule jobs need this user right.

The Deny log on as a batch job user right overrides the Log on as a batch job user right, which could be used to allow accounts to schedule jobs that consume excessive system resources.

Such an occurrence could cause a DoS condition.

Failure to assign this user right to the recommended accounts can be a security risk.

The recommended state for this setting is to include: 'Guests'.

Solution

To establish the recommended configuration via GP, set the following UI path to include 'Guests':

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job

See Also

https://workbench.cisecurity.org/files/1941