2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

Information

This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers.

The recommended state for this setting is: Administrators, LOCAL SERVICE

Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with Domain Controllers in different time zones.

Solution

To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL SERVICE :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/15105