2.2.21 Ensure 'Deny log on through Remote Desktop Services' is set to include 'Guests', 'Local Account'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines whether users can log on as Terminal Services clients.

After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network.

Domain accounts can access the server for administration and end-user processing.

The recommended state for this setting is to include: 'Guests, Local account'.

Caution: Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely administer the server.

Solution

To establish the recommended configuration via GP, set the following UI path to include 'Guests, Local account': Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services

See Also

https://workbench.cisecurity.org/files/1941