Title

The system must be configured to use the Classic security model. (Cat II impact)

Discussion

Windows includes two network-sharing security models - Classic and Guest only. With the Classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to access shared system resources.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest Value Type: REG_DWORD Value: 0

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves".

Additional Identifiers

Rule ID: SV-225500r569185_rule

Vulnerability ID: V-225500

Group Title: SRG-OS-000138-GPOS-00069

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.