|Platform: win8.1||Date: (C)2015-10-14 (M)2017-10-16|
Deny access to this computer from the network
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Windows 8.1 and Windows Server 2012 R2 introduces a new pseudo group called ?Local Account? that any local-account logon gets in its token and that has been backported to Windows 7 and Window Server 2008 R2 and later versions that have KB 2871997 installed. Guests and Local Account should be denied network logon. Also, the Enterprise Admins and Domain Admins groups should also be denied all access on all clients and servers except for Domain Controllers and dedicated administrative workstations.
Note The Enterprise Admins and Domain Admins groups are domain-specific and cannot be specified in generic baselines such as those in SCM. These must be manually added to the Group Policy setting.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment!Deny access to this computer from the network
(2) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeDenyNetworkLogonRight' and precedence=1
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:22424|