[Forgot Password]
Login  Register Subscribe

23631

 
 

126173

 
 

98218

 
 

909

 
 

79224

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

Deny log on locally

ID: oval:org.secpod.oval:def:40246Date: (C)2017-04-25   (M)2017-11-21
Class: COMPLIANCEFamily: windows




This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log on locally. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerability: Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges. Counter Measure: Assign the Deny log on locally user right to the built-in Support account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. Note The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for a typical user who does not have administrative access to run signed scripts from links that are embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user's credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the typical user's account. When the delegated user clicks on a link in Help and Support Services, the script will run under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default. Potential Impact: If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that run IIS 6.0. You should confirm that delegated activities will not be adversely affected. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally (2) REG: NO INFO

Platform:
Microsoft Windows Server 2016
Reference:
CCE-46108-7
CPE    1
cpe:/o:microsoft:windows_server_2016:::x64
CCE    1
CCE-46108-7
XCCDF    3
xccdf_org.secpod_benchmark_general_Windows_Server_2016
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_Server_2016
xccdf_org.secpod_benchmark_PCI_3_2_Windows_Server_2016

© 2013 SecPod Technologies