| VID |
28332 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A user or group with the 'Deny logon as a batch job' right is detected. 'Deny logon as a batch job' prohibits a user or group from logging on through a batch-queue facility. This right is not normally granted to any user or group by default.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/appxb.asp
* Platforms Affected:
Windows Any version |
| Recommendation |
Check user rights for the 'Deny logon as a batch job', and remove any names disallowed by your security policy.
To audit and revoke this privilege:
For a Windows 2000 domain:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and Deny logon as a batch job.
6. Set the user right to desired setting according to your administration policy.
For a stand-alone Windows 2000 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and Deny logon as a batch job.
3. Set the user right to desired setting according to your administration policy.
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and Deny logon as a batch job.
3. Set the user right to desired setting according to your administration policy. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
3817 (ISS) |
|
