Standard user accounts must only have Read permissions to the Winlogon registry key.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN12-RG-000001 | WN12-RG-000001 | WN12-RG-000001_rule | High |
| Description |
|---|
| Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have this capability, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system. |
| STIG | Date |
|---|---|
| Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide | 2013-07-25 |
Details
| Check Text ( C-WN12-RG-000001_chk ) |
|---|
| Navigate to the following registry key and review the assigned permissions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Standard user accounts and groups must only have Read permissions to this registry key. If any standard user accounts or groups have greater permissions, this is a finding. The default permissions satisfy this requirement. |
| Fix Text (F-WN12-RG-000001_fix) |
|---|
| Ensure only Read permissions are assigned to standard user accounts and groups for the following registry key. The default configuration satisfies this requirement. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |