A group named DenyNetworkAccess must be defined on domain systems to include all local administrator accounts. (Windows 2012)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-45589	WN12-GE-000200	SV-58487r1_rule	ECLP-1	Low

Description
Several user rights on domain systems require that local administrator accounts be assigned to them. Defining a consistent group name allows compliance to be more easily determined.

STIG	Date
Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide	2014-04-02

Details

Check Text ( C-49601r3_chk )
This requirement is NA for non domain-joined systems. This requirement is NA for Windows 2012 R2 systems using the new built-in security groups below. Review local groups on the system. Compare the membership of the "DenyNetworkAccess" group with the local Administrators group. Verify the group "DenyNetworkAccess" includes all local administrator accounts as members. This includes the built-in Administrator account. It does not include domain administrative accounts or groups. If the group "DenyNetworkAccess" does not exist or does not include all local administrator accounts, this is a finding. Windows 2012 R2 added new built-in security groups for assigning permissions and rights to local accounts. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".

Check Text ( C-49601r3_chk )

This requirement is NA for non domain-joined systems.
*This requirement is NA for Windows 2012 R2 systems using the new built-in security groups below.

Review local groups on the system.

Compare the membership of the "DenyNetworkAccess" group with the local Administrators group.

Verify the group "DenyNetworkAccess" includes all local administrator accounts as members.
This includes the built-in Administrator account. It does not include domain administrative accounts or groups.

If the group "DenyNetworkAccess" does not exist or does not include all local administrator accounts, this is a finding.

*Windows 2012 R2 added new built-in security groups for assigning permissions and rights to local accounts. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".

Fix Text (F-49949r3_fix)
This requirement is NA for non domain-joined systems. This requirement is NA for Windows 2012 R2 systems using the new built-in security groups below. Create a local group with the name "DenyNetworkAccess" if one does not exist on the system. Include all local administrator accounts as members of the group, including the built-in Administrator account. Windows 2012 R2 added new built-in security groups for assigning permissions and rights to local accounts. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".

Fix Text (F-49949r3_fix)

This requirement is NA for non domain-joined systems.
*This requirement is NA for Windows 2012 R2 systems using the new built-in security groups below.

Create a local group with the name "DenyNetworkAccess" if one does not exist on the system.
Include all local administrator accounts as members of the group, including the built-in Administrator account.

*Windows 2012 R2 added new built-in security groups for assigning permissions and rights to local accounts. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".