Microsoft Windows Server 2012/2012 R2 Domain Controller STIG:
(in versions v3 r7 through v2 r7)
Unauthorized accounts must not have the Add workstations to domain user right. (Cat II impact)
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: Administrators
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Add workstations to domain" to only include the following accounts or groups: Administrators
Rule ID: SV-226399r877392_rule
Vulnerability ID: V-226399
Group Title: SRG-OS-000324-GPOS-00125
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Prohibit Non-Privileged Users From Executing Privileged Functions