Deny access to this computer from the networkID: oval:org.secpod.oval:def:80644 | Date: (C)2022-06-02 (M)2023-12-13 |
Class: COMPLIANCE | Family: windows |
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
Default: Guest
Counter Measure:
Assign the Deny access to this computer from the network user right to the following accounts:
- ANONYMOUS LOGON
- Built-in local Administrator account
- Local Guest account
- Built-in Support account
- All service accounts
An important exception to this list is any service accounts that are used to start services that need to connect to the computer over the network. For example, if you have configured a shared folder for Web servers to access and present content within that folder through a Web site, you may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you need to configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
Potential Impact:
If you configure the Deny access to this computer from the network user right for other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks will not be negatively affected.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight=SeDenyNetworkLogonRight and precedence=1
Platform: |
Microsoft Windows 10 |