CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Impact:

If you assign the Deny log on as a batch job user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to perform their required job activities. You should confirm that delegated tasks will not be affected adversely. For example, if you assign this user right to the IWAM_ (ComputerName) account, the MSM Management Point will fail. On a newly installed computer that runs Windows Server 2003 this account does not belong to the Guests group, but on a computer that was upgraded fromWindows 2000 this account is a member of the Guests group. Therefore, it is important that you understand which accounts belong to any groups that you assign the Deny log on as a batch job user right.

Default Value:

No one.

References:

1. CCE-35461-3

CIS Controls:

Version 6

16 Account Monitoring and Control Account Monitoring and Control

Version 7

16.8 Disable Any Unassociated Accounts Disable any account that cannot be associated with a business process or business owner.

104 | P a g e