2.2.29 (L2) Configure 'Log on as a service'

Information

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an enterprise environment. On Windows Vista-based (or newer) computers, no users or groups have this privilege by default.

The recommended state for this setting is: No One or (when the

Hyper-V

feature is installed) NT VIRTUAL MACHINE\Virtual Machines or (when using

Windows Defender Application Guard

, such as in the Next Generation Windows Security profile) WDAGUtilityAccount

Note: The

Hyper-V

feature was first introduced on Windows workstations with the 64-bit version of Windows 8.0, so the NT VIRTUAL MACHINE\Virtual Machines option does not apply to Windows 7 (or older) versions of Windows. Older OSes should only be configured for No One

Note #2: The

Windows Defender Application Guard

feature was first introduced on Windows workstations with the 64-bit version of Windows 10, so the WDAGUtilityAccount option does not apply to 32-bit versions of Windows.

Log on as a service is a powerful user right because it allows accounts to launch network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.

Solution

To establish the recommended configuration via GP, set the following UI path:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service

Impact:

If you have installed optional components such as ASP.NET or IIS, you may need to assign the Log on as a service user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. On Windows Workstations with the Hyper-V feature installed, this user right should also be granted to the special group NT VIRTUAL MACHINE\Virtual Machines

See Also

https://workbench.cisecurity.org/benchmarks/16515