UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2373 AD.3058_2008 SV-28493r2_rule ECSC-1 Medium
Description
This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.
STIG Date
Active Directory Service 2008 Security Technical Implementation Guide (STIG) 2011-05-23

Details

Check Text ( C-96r2_chk )
1. Analyze the system using the Security Configuration and Analysis tool.

2. Expand the Security Configuration and Analysis tree view.

3. Navigate to Local Policies and select Security Options.

4. If the value for “Domain Controller: Allow server operators to schedule tasks” is not set to “Disabled”, then this is a finding.
Fix Text (F-28439r1_fix)
Set the value for “Domain Controller: Allow server operators to schedule tasks” to “Disabled”.

The policy referenced configures the following registry value:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\LSA\
Value Name: SubmitControl
Value Type: REG_DWORD
Value: 0