Check: WINUR-000020-DC
Win2k8 Audit:
WINUR-000020-DC
(in version v6 r1.22)
Title
The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. (Cat II impact)
Discussion
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Deny log on locally" right defines accounts that are prevented from logging on interactively. The Guests group must be assigned this right to prevent unauthenticated access.
Check Content
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following. Guests Group
Additional Identifiers
Rule ID: SV-47107r1_rule
Vulnerability ID: V-26485
Group Title: Deny log on locally
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |