CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This policy setting determines whether users can log on as Remote Desktop clients. After the baseline workstation is joined to a domain environment, there is no need to use local accounts to access the workstation from the network. Domain accounts can access the workstation for administration and end-user processing. This user right supersedes the Allowlog on through Remote Desktop Services user right if an account is subject to both policies. Caution: Configuring a standalone (non-domain-joined) workstation as described above may result in an inability to remotely administer the workstation. Note: The security identifier Local account isnot available in Windows 7 and Windows 8.0 unless MSKB 2871997 has been installed. Note #2: In all versions of Windows prior to Windows 7, Remote DesktopServices was known as Terminal Services , so you should substitute the older term if comparing against an older OS. The recommended state for this setting is to include: Guests, Local account .

Rationale:

Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

109 | P a g e