Detections
Analytics
WN12-UR-000019-DC - The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
Information
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.The 'Deny log on as a service' user right defines accounts that are denied log on as a service.
Incorrect configurations could prevent services from starting and result in a DoS.
Solution
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> 'Deny log on as a service' to include no entries (blank).See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R7_STIG.zip
Item Details
Category: ACCESS CONTROL
References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-226383r794628_rule, STIG-ID|WN12-UR-000019-DC, STIG-Legacy|SV-51146, STIG-Legacy|V-26484, Vuln-ID|V-226383
Plugin: Windows
Control ID: a616ceb32a7899dd1dea75de82ce0d018b46e6b7775aa4ed4be723ef38fc0ec5