Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2373 | AD.3058_2008_R2 | SV-36168r1_rule | ECSC-1 | Medium |
| Description |
|---|
| This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Details
| Check Text ( C-32082r1_chk ) |
|---|
| 1. Analyze the system using the Security Configuration and Analysis snap-in. 2. Expand the Security Configuration and Analysis tree view. 3. Navigate to Local Policies and select Security Options. 4. If the value for “Domain Controller: Allow server operators to schedule tasks” is not set to “Disabled”, then this is a finding. |
| Fix Text (F-28439r1_fix) |
|---|
| Set the value for “Domain Controller: Allow server operators to schedule tasks” to “Disabled”. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: SubmitControl Value Type: REG_DWORD Value: 0 |