The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2373 | AD.3058_2008 | SV-28493r2_rule | ECSC-1 | Medium |
| Description |
|---|
| This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler. |
| STIG | Date |
|---|---|
| Active Directory Service 2008 Security Technical Implementation Guide (STIG) | 2011-05-23 |
Details
| Check Text ( C-96r2_chk ) |
|---|
| 1. Analyze the system using the Security Configuration and Analysis tool. 2. Expand the Security Configuration and Analysis tree view. 3. Navigate to Local Policies and select Security Options. 4. If the value for “Domain Controller: Allow server operators to schedule tasks” is not set to “Disabled”, then this is a finding. |
| Fix Text (F-28439r1_fix) |
|---|
| Set the value for “Domain Controller: Allow server operators to schedule tasks” to “Disabled”. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: SubmitControl Value Type: REG_DWORD Value: 0 |