Detections
Analytics

1.247 WN10-UR-000075

Information

The 'Deny log on as a batch job' user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.

GROUP ID: V-220969RULE ID: SV-220969r958472

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The 'Deny log on as a batch job' right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler.

In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks that could lead to the compromise of an entire domain.

Solution

This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA.

Configure the policy value for

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> 'Deny log on as a batch job'

to include the following:

Domain Systems Only:Enterprise Admin GroupDomain Admin Group

See Also

https://workbench.cisecurity.org/benchmarks/23869

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CCI|CCI-000213, Rule-ID|SV-220969r958472_rule, STIG-ID|WN10-UR-000075, Vuln-ID|V-220969

Plugin: Windows

Control ID: cfe0596fb77fc94a5a5d6e4df446f581a30e89829c6a058215a6784933b5a068