This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.
1. Analyze the system using the Security Configuration and Analysis tool.
2. Expand the Security Configuration and Analysis tree view.
3. Navigate to Local Policies and select Security Options.
4. If the value for “Domain Controller: Allow server operators to schedule tasks” is not set to “Disabled”, then this is a finding.
Fix Text (F-28439r1_fix)
Set the value for “Domain Controller: Allow server operators to schedule tasks” to “Disabled”.
The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: SubmitControl Value Type: REG_DWORD Value: 0