PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Security: Deny log on service user right on domain-join srv be configured to prevent access highly privileged domain accounts

e0a03f12-f54b-477b-ac08-c247a8d82e44

Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ User Rights Assignment
|_ Deny log on as a service to include the following:
Domain systems:
- Enterprise Admins Group
- Domain Admins Group

STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-278186
2022: https://system32.eventsentry.com/stig/viewer/V-254437
2019: https://system32.eventsentry.com/stig/viewer/V-205674
2016: https://system32.eventsentry.com/stig/viewer/V-225017

NIST 800-53 : AC-3, AC-6, CM-6
NIST 800-171: 3.1.1, 3.1.2, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.1, AC.L2-3.1.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 7.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.