Logon as a batch job rights

 

Log on as a batch job policy determines the accounts permitted to sign in through a batch-queue tool like the Task Scheduler service. When you schedule a task using the Add Scheduled Task Wizard, assigning it to run under specific credentials, that user is granted the right to log on as a batch job. At the designated time, the Task Scheduler service logs in the user as a batch job rather than an interactive user, executing the task within the user’s security parameters.

Deny log on as a batch job

 

Ensure ‘Deny log on as a batch job’ to include ‘Guests’ policy setting determines the accounts that are restricted from logging onto the computer to execute batch jobs. A batch job here refers to a batch-queue facility, not a simple batch (.bat) file. Accounts utilizing the Task Scheduler for scheduling tasks require this user privilege.

 

This user privilege takes precedence over the “Log on as a batch job” privilege, which might enable accounts to schedule jobs leading to excessive consumption of system resources. Such a scenario could potentially result in a Denial of Service (DoS) condition. Neglecting to assign this user privilege to the specified accounts may pose a security hazard.

 

The recommended state for this setting is to include: Guests

 

IT infrastructure leaders

Potential Impact & Countermeasure

 

If you assign the Deny log on as a batch job user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to perform their required job activities. You should confirm that delegated tasks will not be affected adversely.

 

For example, if you assign this user right to the IWAM_<ComputerName> account, the MSM Management Point will fail. On a newly installed computer that runs Windows Server 2003 this account does not belong to the Guests group, but on a computer that was upgraded from Windows 2000 this account is a member of the Guests group. Therefore, it is important that you understand which accounts belong to any groups that you assign the Deny log on as a batch job user right.

 

Countermeasure

Allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you don’t want to use the Task Scheduler in this manner, configure the Log on as a batch job user right for only the Local Service account.

 

Configuration via Group Policy

 

On a computer joined to a domain, including the domain controller, this policy may be overridden by a domain policy, preventing you from modifying the local policy setting.

 

For instance, if you attempt to configure Task Scheduler on your domain controller, examine the Settings tab of your two domain controller policy and domain group policy settings in the Group Policy Management Console (GPMC). Ensure that the targeted account is not listed in the Deny log on as a batch job User Rights Assignment and is properly configured in the Log on as a batch job setting.

 

Settings are implemented in the subsequent order through a Group Policy Object (GPO), which supersedes settings on the local computer during the next Group Policy update:

 

  1. Local policy settings
  2. Site policy settings
  3. Domain policy settings
  4. OU policy settings

 

When a local setting appears greyed out, it signifies that a GPO currently manages that setting.

 

To establish the recommended configuration via GP, set the following UI path to include Guests:

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job

 

Windows Update Result in Memory Leak and Domain Controllers Crashing

 

Deny Log on a Batch Job Vulnerability

 

Users with the “Deny log on as a batch job” user privilege could potentially schedule tasks that consume significant computer resources, leading to a denial-of-service situation where attackers can still launch a DoS attack through by flooding the network with traffic. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.

 

If there is an improper configuration of the setting, legitimate users who rely on batch jobs (e.g., system administrators) can be denied access which can disrupt critical operations.

 

hardening project

Optimal Strategies for Minimizing Operational Disruption

 

Deny log on as a batch job security setting is designed to mitigate vulnerabilities and potential attacks that could exploit batch job execution on a system. Here’s why automated configuration hardening would be the best approach to avoid disrupting critical operations due to improper configuration.

 

Automation configuration hardening can define clear exceptions by identifying and whitelisting legitimate user accounts or groups that require permission to run batch jobs. Automated hardening tools can also track configuration changes and allow for easy rollback in case of unintended consequences.

You might be interested