Detections
Analytics
WN22-DC-000390 - Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
Information
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.The 'Deny log on as a service' user right defines accounts that are denied logon as a service.
Incorrect configurations could prevent services from starting and result in a denial of service.
Solution
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on as a service to include no entries (blank).See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R8_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows Server 2022 STIG v2r8
Category: ACCESS CONTROL
References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-254423r1137691_rule, STIG-ID|WN22-DC-000390, Vuln-ID|V-254423
Plugin: Windows
Control ID: 0aba9ea375bf0493194ebea276514a775d527620ac7de24f3321d48bb0aaee8f