2.2.28 Ensure 'Deny log on as a service' to include 'Enterprise Admins Group and Domain Admins Group' (STIG MS only)

Information

This security setting determines which service accounts are prevented from registering a process as a service. This user right supersedes the Log on as a service user right if an account is subject to both policies.

The recommended STIG state for this setting is to include: Enterprise Admins Group and Domain Admins Group

Note: The CIS recommended state for this setting is: Guests for both Domain Controllers and Member Servers, which differs from the STIG recommended state.

Note #2: This security setting does not apply to the System Local Service or Network Service accounts.

Accounts that can log on as a service could be used to configure and start new unauthorized services, such as a keylogger or other malicious software. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative privileges can install and configure services, and an attacker who has already attained that level of access could configure the service to run with the System account.

Solution

To establish the recommended configuration via GP, set the following UI path to include Enterprise Admins Group and Domain Admins Group :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service

Impact:

If you assign the Deny log on as a service user right to specific accounts, services may not be able to start and a DoS condition could result.

See Also

https://workbench.cisecurity.org/benchmarks/15301

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Windows

Control ID: 9bc287173ade75b773d7ee8edf13e35f89fb575a3f377ebc99a77cd8f7038cd9