From 8fa75d676639a65ce6148664c507ab7a41f77646 Mon Sep 17 00:00:00 2001 From: Long Lam <31355535+eemperor@users.noreply.github.com> Date: Tue, 6 Aug 2024 10:52:32 -0400 Subject: [PATCH] Allow remote login for local accounts, clean up empty settings --- .../stig/Windows_2022Server_DC/stig.yml | 18 --------------- .../stig/Windows_2022Server_MS/stig.yml | 22 ++----------------- 2 files changed, 2 insertions(+), 38 deletions(-) diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml index 6a34fcf..9d625f5 100644 --- a/ash-windows/stig/Windows_2022Server_DC/stig.yml +++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml @@ -532,15 +532,9 @@ - name: SeCreatePagefilePrivilege policy_type: secedit value: '*S-1-5-32-544' -- name: SeCreateTokenPrivilege - policy_type: secedit - value: '' - name: SeCreateGlobalPrivilege policy_type: secedit value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6' -- name: SeCreatePermanentPrivilege - policy_type: secedit - value: '' - name: SeCreateSymbolicLinkPrivilege policy_type: secedit value: '*S-1-5-32-544' @@ -562,9 +556,6 @@ - name: SeLoadDriverPrivilege policy_type: secedit value: '*S-1-5-32-544' -- name: SeLockMemoryPrivilege - policy_type: secedit - value: '' - name: SeSecurityPrivilege policy_type: secedit value: '*S-1-5-32-544' @@ -586,18 +577,9 @@ - name: SeNetworkLogonRight policy_type: secedit value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9' -- name: SeDenyServiceLogonRight - policy_type: secedit - value: '' - name: SeEnableDelegationPrivilege policy_type: secedit value: '*S-1-5-32-544' -- name: SeTcbPrivilege - policy_type: secedit - value: '' -- name: SeTrustedCredManAccessPrivilege - policy_type: secedit - value: '' - name: SeMachineAccountPrivilege policy_type: secedit value: '*S-1-5-32-544' diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml index 15eba8e..0e73838 100644 --- a/ash-windows/stig/Windows_2022Server_MS/stig.yml +++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml @@ -509,7 +509,7 @@ vtype: DWORD - name: SeDenyNetworkLogonRight policy_type: secedit - value: '*S-1-5-114,*S-1-5-32-546' + value: '*S-1-5-32-546' - name: SeDenyBatchLogonRight policy_type: secedit value: '*S-1-5-32-546' @@ -518,7 +518,7 @@ value: '*S-1-5-32-546' - name: SeDenyRemoteInteractiveLogonRight policy_type: secedit - value: '*S-1-5-113,*S-1-5-32-546' + value: '*S-1-5-32-546' - name: SeInteractiveLogonRight policy_type: secedit value: '*S-1-5-32-544' @@ -528,15 +528,9 @@ - name: SeCreatePagefilePrivilege policy_type: secedit value: '*S-1-5-32-544' -- name: SeCreateTokenPrivilege - policy_type: secedit - value: '' - name: SeCreateGlobalPrivilege policy_type: secedit value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544' -- name: SeCreatePermanentPrivilege - policy_type: secedit - value: '' - name: SeCreateSymbolicLinkPrivilege policy_type: secedit value: '*S-1-5-32-544' @@ -558,9 +552,6 @@ - name: SeLoadDriverPrivilege policy_type: secedit value: '*S-1-5-32-544' -- name: SeLockMemoryPrivilege - policy_type: secedit - value: '' - name: SeSecurityPrivilege policy_type: secedit value: '*S-1-5-32-544' @@ -582,12 +573,3 @@ - name: SeNetworkLogonRight policy_type: secedit value: '*S-1-5-32-544,*S-1-5-11' -- name: SeEnableDelegationPrivilege - policy_type: secedit - value: '' -- name: SeTcbPrivilege - policy_type: secedit - value: '' -- name: SeTrustedCredManAccessPrivilege - policy_type: secedit - value: ''