May we remove User Rights Assignment on Site and Notification Server so that we meet STIG 26489?
Steps to implement:
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding:
Local Service
Network Service
We found that removing the AppPool information from the User Rights Assignment on the Package Server caused unstable communications between NS and Site Servers. It is not recommended.
We also found that reinstalling Package and Task Services recreates these assignments.