Rule 2.2.21 has incorrect default values

[jrdbarnes]

Have you checked ReadtheDocs?:

Describe the Issue
The control 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only) is intended to block Guests and Local accounts which are also members of the Administrators group

It is currently blocks all Administrators from connecting to the server.

Expected Behavior
The control 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only) should block

• Guests
• Local accounts which are also members of the Administrators group

Actual Behavior
The task -
"2.2.22 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only | Member Server"

Windows-2022-CIS/tasks/ansible_hardening/section02.yml

Lines 694 to 696 in d6f0705

	- Guests
	- Local Account
	- Administrators

actually blocks:

• Guests
• Local accounts
• Administrators group

Control(s) Affected
2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

Environment (please complete the following information):

I would expect this to affect all environments when run on a domain member server.

Additional Notes
Anything additional goes here

Possible Solution
The below security identifier should be available, but I haven't done any testing.

   users:
      - Guests
      - Local account and member of Administrators group