[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-44499-2

Platform: cpe:/o:microsoft:windows_server_2016Date: (C)2017-08-03   (M)2023-07-04



This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerability: Users who can log on to the computer over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. Counter Measure: Assign the Deny access to this computer from the network user right to the following accounts: - ANONYMOUS LOGON - Built-in local Administrator account - Local Guest account - Built-in Support account - All service accounts An important exception to this list is any service accounts that are used to start services that need to connect to the computer over the network. For example, if you have configured a shared folder for Web servers to access and present content within that folder through a Web site, you may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you need to configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. Potential Impact: If you configure the Deny access to this computer from the network user right for other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks will not be negatively affected. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network (2) REG: NO INFO


Parameter:

[default]


Technical Mechanism:

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network (2) REG: NO INFO

CCSS Severity:CCSS Metrics:
CCSS Score : 5.6Attack Vector: NETWORK
Exploit Score: 2.2Attack Complexity: HIGH
Impact Score: 3.4Privileges Required: NONE
Severity: MEDIUMUser Interaction: NONE
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LScope: UNCHANGED
 Confidentiality: LOW
 Integrity: LOW
 Availability: LOW
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40234


OVAL    1
oval:org.secpod.oval:def:40234
XCCDF    5
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_Server_2016
xccdf_org.secpod_benchmark_PCI_3_2_Windows_Server_2016
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_Server_2016
xccdf_org.secpod_benchmark_general_Windows_Server_2016
...

© SecPod Technologies