Conflicting Rules ID: A-PreWin2000Other vs. A-PreWin2000AuthenticatedUsers

[DaStivi]

both rules checks the members of the "Pre-Windows 2000 Compatible Access" group in Active Directory! according to rule A-PreWin2000AuthenticatedUsers (which is only a informative one !!) there should be NO "authenticated users" Group member of the preWin2k Group, and that is how it should be, because this preWin2000 gives the members to much read permissons inside AD!

in my opinion this rule should NOT be a informative one, instead it should give points if NOT fullfilled. (autenticated users still in there!)

https://www.semperis.com/blog/security-risks-pre-windows-2000-compatibility-windows-2022/ https://www.vidrasec.com/blog/built-in-insecurities-win2k/

the otherrule, that is not a iniformative one results if you make it correct, because as soon as you remove the authenticated users from the preWin2k, you can (maybe you shouldn't) add individual Users to allow the function of certain software...

in a ideal world, you would give the according users the proper permissions inside AD/Rbac, so maybe getting some points from this rule is still "ok" if you misuse the group...

But one thing thats definitly not correct, in the rule description of A-PreWin2000Other, the Advised Soluton is, to add the "Authenticated Users" to the PreWin2k Group, and thats defiinitly not correct!