Details

When configuring either the startup mode or access control list for a service, you must configure the other as well. When a service is explicitly disabled, its ACL should also be secured by changing the default ACL from Everyone Full Control to grant Administrators and SYSTEM Full Control and Interactive Read access.

Solution

Create a Custom Security Template using the Security Template MMC Snap-in to set the permissions as required for disabled services.

Import the Custom Template into the Security Configuration and Analysis Snap-In and Select Configure Computer Now

Or import the Custom Template in to a Group Policy for application.

The administrator should have a thorough understanding of these tools before implementing settings with them.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Supportive Information

The following resource is also helpful.

• http://iasecontent.disa.mil/stigs/zip/Oct2016/U_Windows_Vista_V6R41_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• Rule-ID|SV-29524r1_rule
• STIG-ID|2.014
• Vuln-ID|V-2371

Source

• Tenable.com/audits