2.2.31 Ensure 'Deny log on locally' to include 'Guests, Enterprise Admins group, and Domain Admins group' (STIG MS only)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

The recommended state for this setting is to include: Guests, Enterprise Admins group, and Domain Admins group.

Important: If you apply this security policy to the Everyone group, no one will be able to log on locally.

Note: The CIS recommended state for this setting is: Guests, which differs from the STIG recommended state.

Rationale:

Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges.

Impact:

If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that run IIS 6.0. You should confirm that delegated activities will not be adversely affected.

Solution

To establish the recommended configuration via GP, set the following UI path to include Guests, Enterprise Admins group, and Domain Admins group:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally

Default Value:

No one.

Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205675
Rule ID: SV-205675r569188_rule
STIG ID: WN19-MS-000110
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3345