CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

2.2.29 (L2) Configure 'Log on as a service' (Scored)

ProfileApplicability:

 Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an enterprise environment. OnWindows Vista-based (and newer) computers, no users or groups have this privilege by default.

The recommended state for this setting is: No One or (when the Hyper-V feature is installed) NT VIRTUAL MACHINE\Virtual Machines .

Note: The Hyper-V feature was first introduced onWindows workstations with the 64-bit version of Windows 8.0, so the NT VIRTUAL MACHINE\Virtual Machines optiondoes not apply to Windows 7 (or older) versions of Windows. Older OSes should only be configured for No One .

Rationale:

Log on as a service is a powerful user right because it allows accounts to launch network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

Remediation:

To establish the recommended configuration via GP, set the following UI path:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service

128 | P a g e