Check: WINUR-000020-DC
Win2k3 Audit:
WINUR-000020-DC
(in version v6 r1.29)
Title
The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. (Cat II impact)
Discussion
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on locally" right defines accounts that are prevented from logging on interactively. The Guests group and Support_388945a0 account must be assigned this right to prevent unauthenticated access.
Check Content
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following. Guests Group Support_388945a0
Additional Identifiers
Rule ID: SV-47105r1_rule
Vulnerability ID: V-26485
Group Title:
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |