(imported topic written by acarrozza91)
Fixlet: User rights and advanced user rights settings do not meet minimum requirements (Deny logon locally).
Inappropriate granting of user and advanced user rights can provide system, administrative, and other high-level capabilities not required by the normal user.
Source ID
4.010
Source Severity - CAT II
DISA Group Title - User Rights Assignments |
DISA IA Controls - ECLP-1
DISA Rule ID - SV-25127r1_rule
DISA Responsibility - System Administrator
DISA Vulid (STIG-ID) V-1103
DISA Documentable YES
DISA Check Content
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Account Policies -> User Rights Assignment.
Review the settings in the Policy window against the list below. If there are any discrepancies, then this is a finding.
Access Credential Manager as a trusted caller - No one
Access this computer from network - Administrators
Act as part of the operating system - See separate vulnerability 4.009/V0001102
Adjust memory quotas for a process - Administrators, Local Service, Network Service
Allow logon locally - Administrators, Users
Allow logon through Remote Desktop Services - No one
Backup files and directories - Administrators
Bypass traverse checking - Administrators, Users, Local Service, Network Service
Change the system time - Administrators, Local Service
Change the time zone - Administrators, Users, Local Service
Create a pagefile - Administrators
Create a token object - No one
Create global objects - Administrators, Service, Local Service, Network Service
Create permanent shared objects - No one
Create symbolic links - Administrators
Debug programs - See separate vulnerability 4.005/V0018010
Deny access to this computer from the network - See separate vulnerability 4.025/V0001155
Deny logon as a batch job - Guests
Deny logon as a service - No One
Deny logon locally - Guests
Deny logon through Remote Desktop Services - Everyone (Guests if RD is used)
Enable computer and user accounts to be trusted for delegation - No one
Force shutdown from a remote system - Administrators
Generate security audits - Local Service, Network Service
Impersonate a client after authentication - Administrators, Service, Local Service, Network Service
Increase a process working set - Administrators, Local Service
Increase scheduling priority - Administrators
Load and unload device drivers - Administrators
Lock pages in memory - No one
Log on as a batch job - No one
Log on as a service - No one
Manage auditing and security log - Auditors Group (see V0001137)
Modify an object label - No one
Modify firmware environment values - Administrators
Perform volume maintenance tasks - Administrators
Profile single process - Administrators
Profile system performance - Administrators, NT Service\WdiServiceHost
Remove computer from docking station - Administrators, Users
Replace a process level token - Local Service, Network Service
Restore files and directories - Administrators
Shut down the system - Administrators, Users
Take ownership of files or other objects - Administrators<
DISA Documentable Explanation
Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation.DISA Fix Text
Configure the system to prevent accounts from having unauthorized User Rights.
Parameter:SeDenyInteractiveLogonRight
Default value:*S-1-5-32-546
Desired value:*S-1-5-32-546
Compliant if:contains
Desired value for this parameter:
Click “Save” to update the desired value or values for this check.
Note: Parameters can only be set on a custom copy of this check.
ID: 58c13c1a-6ccc-525d-9442-bd22d321cdfd