[Forgot Password]
Login  Register Subscribe

23631

 
 

126951

 
 

99602

 
 

909

 
 

80167

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

Allow log on through Remote Desktop Services

ID: oval:org.secpod.oval:def:36479Date: (C)2016-08-05   (M)2017-11-21
Class: COMPLIANCEFamily: windows




This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: For domain controllers, assign the Allow log on through Terminal Services user right only to the Administrators group. For other server roles and end-user computers, add the Remote Desktop Users group. For Terminal Servers that do not run in Application Server mode, ensure that only authorized IT personnel who need to manage the computers remotely belong to either of these groups. Caution: For Terminal Servers that do run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group, because this built-in group has this logon right by default. Alternatively, you can assign the Deny Logon Through Terminal Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also happen to belong to a group that has the Deny Logon Through Terminal Services user right. Potential Impact: Removal of the Allow log on through Terminal Services user right from other groups or membership changes in these default groups could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities will not be adversely affected. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services (2) REG: ### (3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeRemoteInteractiveLogonRight' and precedence=1

Platform:
Microsoft Windows 10
Reference:
CCE-41832-7
CCE    1
CCE-41832-7
XCCDF    4
xccdf_org.secpod_benchmark_general_Windows_10
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
...

© 2013 SecPod Technologies