A group named DenyNetworkAccess must be defined on domain systems to include all local administrator accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-45589 | WINGE-000200 | SV-58477r1_rule | ECLP-1 | Low |
| Description |
|---|
| Several user rights on domain systems require that local administrator accounts be assigned to them. Defining a consistent group name allows compliance to be more easily determined. |
| STIG | Date |
|---|---|
| Windows 2008 Member Server Security Technical Implementation Guide | 2014-04-02 |
Details
| Check Text ( C-49597r2_chk ) |
|---|
| This requirement is NA for non domain-joined systems. Review local groups on the system. Compare the membership of the "DenyNetworkAccess" group with the local Administrators group. Verify the group "DenyNetworkAccess" includes all local administrator accounts as members. This includes the built-in Administrator account. It does not include domain administrative accounts or groups. If the group "DenyNetworkAccess" does not exist or does not include all local administrator accounts, this is a finding. |
| Fix Text (F-49945r2_fix) |
|---|
| This requirement is NA for non domain-joined systems. Create a local group with the name "DenyNetworkAccess" if one does not exist on the system. Include all local administrator accounts as members of the group, including the built-in Administrator account. |