CCE-37848-9Platform: cpe:/o:microsoft:windows_server_2012::r2 | Date: (C)2015-10-08 (M)2023-07-04 |
Domain controller: Allow server operators to schedule tasks
This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job.
Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu.
Parameter:
[disable/enable]
Technical Mechanism:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options!Domain controller: Allow server operators to schedule tasks
(2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa!SubmitControl
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.8 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:23033 |