| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2017821C4C79DB61FC5D00147D32549CD255D0CC ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account and member of Administrators group SCHROEDER3\Domain Admins SCHROEDER3\Enterprise Admins Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-114 ("Local account and member of Administrators group") or S-1-5-113 ("Local account") All Systems: S-1-5-32-546 (Guests) Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny access to this computer from the network to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.