Deny log on locally
|ID: oval:org.secpod.oval:def:40246||Date: (C)2017-04-25 (M)2018-11-15|
|Class: COMPLIANCE||Family: windows|
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log on locally.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges.
Assign the Deny log on locally user right to the built-in Support account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for a typical user who does not have administrative access to run signed scripts from links that are embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user's credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the typical user's account. When the delegated user clicks on a link in Help and Support Services, the script will run under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default.
If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that run IIS 6.0. You should confirm that delegated activities will not be adversely affected.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
(2) REG: NO INFO
|Microsoft Windows Server 2016|