Many published security standards (including the Microsoft security baselines) contain entries advising a various list-based policies be set to "No One". For example, the CIS audit data for the setting Log on as a service includes:
This user right should be restricted on any computer in a high security environment,
but because many applications may require this privilege, it should be carefully
evaluated and tested before configuring it in an enterprise environment.
On Windows Vista-based (and newer) computers, no users or groups have
this privilege by default.
The recommended state for this setting is: 'No One'.
Note that the recommendation above is enclosed in single quotes as if it's a string
Occasionally a client will want me to explicitly set certain policies to match the default for that policy. When it comes to the policies with a list box containing no entries (as opposed to just "Enable" and "Disabled"), I will generally just enable the policy and leave the list blank (i.e. "No One" is listed on the list)
But this client (not naming names) is insisting that creating an explicit setting to match the default using a blank list will not meet the recommended solution. He is firm that changing a setting to "No One" means enabling the policy and configuring it such that the required list contains only a single item names "No One". "No One". Like actually clicking the 'Add User or Group' button and typing 'No One' in the box. Based on the sentence structure, I can see how he would get that idea.
I've found a couple of aged forum posts here and there that sort of support my stance. But they are not exactly what I would consider authoritative.
https://community.spiceworks.com/topic/2015177-cis-benchmark-lockdowns-the-no-one-user
And, just for the sake of my own sanity, I've confirmed that "No One" is not one of the reserved names in a Windows or AD environment:
If the setting is actually defined with the string "No One", a foolish (or malicious) domain admin could create a domain user or group with that name and immediately create the very antithesis of a secure AD environment.
Assuming that I will never find anything authoritative to back up my words, how can I mitigate the risk of an admin creating an AD object named "No One" and thereby getting the very permissions the GPO was intended to prevent?
I am thinking this might work:
That would reserve the object names and lock them down to prevent changes in membership. But there would still be nothing to prevent an admin from changing it back, or deleting the account and creating another one, etc.
That's very clunky though. Short of telling my client to pound sand, I would very much like a more elegant solution.
You are right that the correct approach to denying access to everyone is to enable the policy and leave the list blank. The act of enabling the policy changes the default permission to "Deny" and only allows the accounts you add to the list. As soon as you adding anything to the list, you are allowing the permission to someone.
I'm not sure where you are seeing that description though, since when I look at the setting in gpedit.msc, I see this:
Log on as a service
This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.
Default setting: None.
Or you can refer to this, where it uses the term "Not defined".
But if they insist on reading the description you included here, then your client is being pedantic. But you can be pedantic too. :) Focus on the actual words.
You say your client wants you to "explicitly set certain policies to match the default". Where is the word "default" used in the description of the policy? Here:
On Windows Vista-based (and newer) computers, no users or groups have this privilege by default
That's pretty clear that the default is an empty list, not some mythical "no one".
The fact that the recommended state seems like something else doesn't matter. They didn't ask for the recommended state, they asked for the default.
Interestingly, there is a well-known SID called "Nobody", but I haven't been able to actually add this to permissions anywhere.