Detections
Analytics

1.184 WN19-DC-000390

Information

Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.

GROUP ID: V-205669
RULE ID: SV-205669r958472

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The 'Deny log on as a service' user right defines accounts that are denied logon as a service.

Incorrect configurations could prevent services from starting and result in a denial of service.

Solution

Configure the policy value for

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> 'Deny log on as a service'

to include no entries (blank).

See Also

https://workbench.cisecurity.org/benchmarks/22176

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b)

Plugin: Windows

Control ID: ca9624b3b871a09cf2701b2fe0b6b0ec3d0502f1e4501c6acaa86da3942f5787