Unauthorized accounts will not have the "Allow log on locally" user right.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-26472	WINUR-000005	SV-35927r2_rule		Medium

Description
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Allow log on locally" right can log on interactively to a system.

STIG	Date
Windows 7 Security Technical Implementation Guide	2018-02-12

Details

Check Text ( C-49423r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators Users Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.

Check Text ( C-49423r1_chk )

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> User Rights Assignment.

If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding:

Administrators
Users

Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.

Fix Text (F-49514r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Allow log on locally" to only include the following accounts or groups: Administrators Users Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.