Deny log on locallyID: oval:org.secpod.oval:def:36549 | Date: (C)2016-08-05 (M)2023-12-13 |
Class: COMPLIANCE | Family: windows |
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
Important
If you apply this security policy to the Everyone group, no one will be able to log on locally.
Default: None
Counter Measure:
Assign the Deny log on locally user right to the built-in Support account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
Note: The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for a typical user who does not have administrative access to run signed scripts from links that are embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user's credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the typical user's account. When the delegated user clicks on a link in Help and Support Services, the script will run under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default.
Potential Impact:
If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that run IIS 6.0. You should confirm that delegated activities will not be adversely affected.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeDenyInteractiveLogonRight' and precedence=1
Platform: |
Microsoft Windows 10 |