Detections
Analytics
WN22-DC-000380 - Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
Information
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.The 'Deny log on as a batch job' user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler.
The Guests group must be assigned to prevent unauthenticated access.
Solution
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on as a batch job to include the following:- Guests Group
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R8_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows Server 2022 STIG v2r8
Category: ACCESS CONTROL
References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-254422r1137691_rule, STIG-ID|WN22-DC-000380, Vuln-ID|V-254422
Plugin: Windows
Control ID: 3734b0156e2f9fdd179c1280a1891cc63e439274a82d05328d354e6306af5a4c