Vulnerability V-220970

V-220970

CAT II

The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.

Ships Affected: 1
Total Findings: 4
Open: 2
Closed: 0

Check Text

This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding. Domain Systems Only: Enterprise Admins Group Domain Admins Group

Fix Text

This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: Domain Systems Only: Enterprise Admins Group Domain Admins Group

STIG Reference

STIG: Microsoft Windows 10 Security Technical Implementation Guide
Version: 3
Release: 6
Rule ID: SV-220970r1137691_rule

All Occurrences

This vulnerability appears on 1 ship(s)

Ship	Hull #	Source File	Assigned To	Scan Date	Actions
USNS MONTFORD POINT	T-ESD-1	MONT-SW-89134_Win10_V3R5_20251217-201218.ckl	Unassigned	2026-03-04T15:25:42.339596	View in Context
USNS MONTFORD POINT	T-ESD-1	MONT-SW-89108_Win10_V3R5_20251217-203019.ckl	Unassigned	2026-03-04T15:25:16.342077	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl	Unassigned	2026-01-14T12:57:28.689048	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl	Unassigned	2026-01-14T12:57:26.690022	View in Context