Detections
Analytics

1.183 WN16-DC-000390

Information

The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.

GROUP ID: V-225002
RULE ID: SV-225002r958472

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The 'Deny log on as a service' user right defines accounts that are denied logon as a service.

Incorrect configurations could prevent services from starting and result in a denial of service.

Solution

Configure the policy value for

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> 'Deny log on as a service'

to include no entries (blank).

See Also

https://workbench.cisecurity.org/benchmarks/23093

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b)

Plugin: Windows

Control ID: a9412d2339d7d37906bc3a6c3f5372a72cca808e0c59549137f5f2f461de750a