Detections
Analytics
2.2.23 Ensure 'Deny access to this computer from the network' to include 'Guests, member of Administrators group, Enterprise Admins Group, and Domain Admins Group' (STIG MS only)
Information
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers. This user right supersedes the Access this computer from the network user right if an account is subject to both policies.The recommended state for this setting is to include: Guests, member of Administrators group, Enterprise Admins Group, and Domain Admins Group.
Caution: Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely administer the server.
Note: The security identifier Local account and member of Administrators group is not available in Server 2008 R2 and Server 2012 (non-R2) unless MSKB 2871997 has been installed.
Note #2: Configuring a Member Server or standalone server as described above may adversely affect applications that create a local service account and place it in the Administrators group - in which case you must either convert the application to use a domain-hosted service account, or remove Local account and member of Administrators group from this User Right Assignment. Using a domain-hosted service account is strongly preferred over making an exception to this rule, where possible.
Note #3: The CIS recommended state for this setting is: Guests, Local account and member of Administrators group, which differs from the STIG recommended state.
Rationale:
Users who can log on to the computer over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
Impact:
If you configure the Deny access to this computer from the network user right for other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks will not be negatively affected.
Solution
To establish the recommended configuration via GP, configure the following UI path: Guests, member of Administrators group, Enterprise Admins Group, and Domain Admins GroupComputer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network
Default Value:
No one.
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-225015
Rule ID: SV-225015r569186_rule
STIG ID: WN16-MS-000370
Severity: CAT II
See Also
Item Details
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|5.1
Plugin: Windows
Control ID: 9875f0ea8844c8008fc41d33bceeb407cd629bc34d209dde18fc4d9236b9b530