Can I preserve Admin remote desktop services with this fixlet?

(imported topic written by acarrozza91)

Fixlet: User rights and advanced user rights settings do not meet minimum requirements (Deny logon locally).

Inappropriate granting of user and advanced user rights can provide system, administrative, and other high-level capabilities not required by the normal user.

Source ID

4.010

Source Severity - CAT II

DISA Group Title - User Rights Assignments |

DISA IA Controls - ECLP-1

DISA Rule ID - SV-25127r1_rule

DISA Responsibility - System Administrator

DISA Vulid (STIG-ID) V-1103

DISA Documentable YES

DISA Check Content

Analyze the system using the Security Configuration and Analysis snap-in.

Expand the Security Configuration and Analysis tree view.

Navigate to Account Policies -> User Rights Assignment.

Review the settings in the Policy window against the list below. If there are any discrepancies, then this is a finding.

Access Credential Manager as a trusted caller - No one

Access this computer from network - Administrators

Act as part of the operating system - See separate vulnerability 4.009/V0001102

Adjust memory quotas for a process - Administrators, Local Service, Network Service

Allow logon locally - Administrators, Users

Allow logon through Remote Desktop Services - No one

Backup files and directories - Administrators

Bypass traverse checking - Administrators, Users, Local Service, Network Service

Change the system time - Administrators, Local Service

Change the time zone - Administrators, Users, Local Service

Create a pagefile - Administrators

Create a token object - No one

Create global objects - Administrators, Service, Local Service, Network Service

Create permanent shared objects - No one

Create symbolic links - Administrators

Debug programs - See separate vulnerability 4.005/V0018010

Deny access to this computer from the network - See separate vulnerability 4.025/V0001155

Deny logon as a batch job - Guests

Deny logon as a service - No One

Deny logon locally - Guests

Deny logon through Remote Desktop Services - Everyone (Guests if RD is used)

Enable computer and user accounts to be trusted for delegation - No one

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service, Local Service, Network Service

Increase a process working set - Administrators, Local Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - No one

Log on as a batch job - No one

Log on as a service - No one

Manage auditing and security log - Auditors Group (see V0001137)

Modify an object label - No one

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators, NT Service\WdiServiceHost

Remove computer from docking station - Administrators, Users

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators

Shut down the system - Administrators, Users

Take ownership of files or other objects - Administrators<

DISA Documentable Explanation

Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation.DISA Fix Text

Configure the system to prevent accounts from having unauthorized User Rights.

Parameter:SeDenyInteractiveLogonRight

Default value:*S-1-5-32-546

Desired value:*S-1-5-32-546

Compliant if:contains

Desired value for this parameter:

Click “Save” to update the desired value or values for this check.

Note: Parameters can only be set on a custom copy of this check.

ID: 58c13c1a-6ccc-525d-9442-bd22d321cdfd