Should we close SeNetworkLogonRight for all users?

[strangeman]

Reference dev-sec/ansible-windows-hardening#3

I think we should allow NetworkLogon for Administrator group, because instead we cannot manage Windows Server via WinRM:
https://github.com/dev-sec/windows-baseline/blob/master/controls/user_rights.rb#L19

+    its('SeNetworkLogonRight') { should eq ['S-1-5-32-544'] }
-    its('SeNetworkLogonRight') { should eq ['S-1-0-0'] }

[chris-rock]

I think we should have the capability to use the baseline with winrm and without winrm. There are good reasons to deactivate winrm on secure production environments. Therefore we need to distinguish between two options:

• deactivate winrm
• best-practices for winrm (which accounts, https only, certs)

@strangeman would that suite your needs?

[chris-rock]

@atomic111 what are you thinking?

[strangeman]

@chris-rock yeah, options for well-secured WinRM would be useful.

[jborean93]

If anything, you need to change the Ansible role to allow it like dev-sec/ansible-windows-hardening#3. When setting it to nobody you stop the mechanism that Ansible uses to connect to the host.

[atomic111]

@strangeman and @jborean93 I introduced a new inspec attribute for this https://github.com/dev-sec/windows-baseline/blob/master/inspec.yml#L33

Can i close the issue?

[strangeman]

Yeah, looks good for me.

…

On Tue, 11 Jun 2019, 20:30 Patrick Münch, ***@***.***> wrote: @strangeman <https://github.com/strangeman> and @jborean93 <https://github.com/jborean93> I introduced a new inspec attribute for this https://github.com/dev-sec/windows-baseline/blob/master/inspec.yml#L33 Can i close the issue? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#19?email_source=notifications&email_token=AAIIROGEX7D2V4BYLU6MBYTPZ7VNJA5CNFSM4EB4KP5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXOCRGI#issuecomment-500967577>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIIROEIX45PZCUFZRQGUMDPZ7VNJANCNFSM4EB4KP5A> .