Detections
Analytics

1.183 WN22-DC-000380

Information

Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.

GROUP ID: V-254422
RULE ID: SV-254422r958472

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The 'Deny log on as a batch job' user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler.

The Guests group must be assigned to prevent unauthenticated access.

Solution

Configure the policy value for

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on as a batch job

to include the following:

 - Guests Group

See Also

https://workbench.cisecurity.org/benchmarks/22357

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-254422r958472_rule, STIG-ID|WN22-DC-000380, Vuln-ID|V-254422

Plugin: Windows

Control ID: c287db925aa353866728f884c2a174d17bc7a8460003c3c5898d615951a7bb24