PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: Deny log on Remote Desktop Services user right on DCs must be configured to prevent unauthenticated access

bc4e8f0f-3990-4a9b-92d5-9c0adc249b58

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services.

The Guests group must be assigned this right to prevent unauthenticated access.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ User Rights Assignment
|_ Deny log on through Remote Desktop Services to include the following:
- Guests Group

STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-278174
2022: https://system32.eventsentry.com/stig/viewer/V-254425
2019: https://system32.eventsentry.com/stig/viewer/V-205732
2016: https://system32.eventsentry.com/stig/viewer/V-225004

NIST 800-53 : AC-3, AC-6, CM-6
NIST 800-171: 3.1.1, 3.1.2, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.1, AC.L2-3.1.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 7.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.