Deny Log on as a Batch job Security Setting

Deny log on as a batch job

Ensure ‘Deny log on as a batch job’ to include ‘Guests’ policy setting determines the accounts that are restricted from logging onto the computer to execute batch jobs. A batch job here refers to a batch-queue facility, not a simple batch (.bat) file. Accounts utilizing the Task Scheduler for scheduling tasks require this user privilege.

This user privilege takes precedence over the “Log on as a batch job” privilege, which might enable accounts to schedule jobs leading to excessive consumption of system resources. Such a scenario could potentially result in a Denial of Service (DoS) condition. Neglecting to assign this user privilege to the specified accounts may pose a security hazard.

The recommended state for this setting is to include: Guests

Potential Impact & Countermeasure

If you assign the Deny log on as a batch job user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to perform their required job activities. You should confirm that delegated tasks will not be affected adversely.

For example, if you assign this user right to the IWAM_<ComputerName> account, the MSM Management Point will fail. On a newly installed computer that runs Windows Server 2003 this account does not belong to the Guests group, but on a computer that was upgraded from Windows 2000 this account is a member of the Guests group. Therefore, it is important that you understand which accounts belong to any groups that you assign the Deny log on as a batch job user right.

Countermeasure

Assign the Deny log on as a batch job user right to the built-in Support account and the local Guest account.

Configuration via Group Policy

On a computer joined to a domain, including the domain controller, this policy may be overridden by a domain policy, preventing you from modifying the local policy setting.

For instance, if you attempt to configure Task Scheduler on your domain controller, examine the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Ensure that the targeted account is not listed in the Deny log on as a batch job User Rights Assignment and is properly configured in the Log on as a batch job setting.

Settings are implemented in the subsequent order through a Group Policy Object (GPO), which supersedes settings on the local computer during the next Group Policy update:

1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings

When a local setting appears greyed out, it signifies that a GPO currently manages that setting.

To establish the recommended configuration via GP, set the following UI path to include Guests:

Windows Update Result in Memory Leak and Domain Controllers Crashing

Deny Log on a Batch Job Vulnerability

Users with the “Deny log on as a batch job” user privilege could potentially schedule tasks that consume significant computer resources, leading to a denial-of-service situation where attackers can still launch a DoS attack through by flooding the network with traffic.

If there is an improper configuration of the setting, legitimate users who rely on batch jobs (e.g., system administrators) can be denied access which can disrupt critical operations.

Optimal Strategies for Minimizing Operational Disruption

Deny log on as a batch job security setting is designed to mitigate vulnerabilities and potential attacks that could exploit batch job execution on a system. Here’s why automated configuration hardening would be the best approach to avoid disrupting critical operations due to improper configuration.

Automation configuration hardening can define clear exceptions by identifying and whitelisting legitimate user accounts or groups that require permission to run batch jobs. Automated hardening tools can also track configuration changes and allow for easy rollback in case of unintended consequences.