User rights and advanced user rights settings do not meet minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1103	4.010	SV-18398r1_rule	ECLP-1	Medium

Description
Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2012-09-05

Details

Check Text ( C-18042r1_chk )
Further policy details. Note: If an account listed has been deleted from the system such as the Support_388945a0 account, the Gold Disk may incorrectly report the account as a finding. If the account does not exist on a system it would not be a finding. Note: The Gold Disk will remediate all User Rights EXCEPT “Manage auditing and security log”. It will report any users/groups with this User Right for review since the site can determine what the “Auditors” group will be named. ------------------------------------------------------- LIST OF AUTHORIZED USER RIGHTS Access this computer from network – Administrators, Authenticated Users, Enterprise Domain Controllers Act as part of the operating system – See separate vulnerability V0001102 Add workstations to domain – Administrators Adjust memory quotas for a process – Administrators, Local Service, Network Service Allow log on locally – Administrators, Backup Operators Allow log on through Terminal Services – (None) Backup files and directories – Administrators, Backup Operators Bypass traverse checking – Authenticated Users Change the system time – Administrators, Local Service Create a pagefile – Administrators Create a token object – (None) Create global objects – Administrators, Service Create permanent shared objects – (None) Debug programs – See separate vulnerability V0018010 Deny access to this computer from the network – See separate vulnerability V0001155 Deny logon as a batch job – Guests, Support_388945a0 Deny logon as a service – (None) Deny logon locally – Guests, Support_388945a0 Deny logon through Terminal Services – Everyone (replace with Guests if configured as a terminal server or remote administration only) Enable computer and user accounts to be trusted for delegation – Administrators Force shutdown from a remote system – Administrators Generate security audits – Local Service, Network Service Impersonate a client after authentication – Administrators, Service Increase scheduling priority – Administrators Load and unload device drivers – Administrators Lock pages in memory – (None) Log on as a batch job – (None) Log on as a service – Network Service Manage auditing and security log – “Auditor’s” Group (Exchange Enterprise Servers Group on Domain Controllers and Exchange Servers) Modify firmware environment values – Administrators Perform volume maintenance tasks – Administrators Profile single process – Administrators Profile system performance – Administrators Remove computer from docking station – Administrators Replace a process level token – Local Service, Network Service Restore files and directories – Administrators, Backup Operators Shut down the system – Administrators Synchronize directory service data – Checked in DS STIG Checklist Take ownership of files or other objects – Administrators -------------------------------------------------------- Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation. Check procedures: 1. Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. 2. Navigate to Local Policies -> User Rights Assignment. 3. Compare the User Rights to the list above titled LIST OF AUTHORIZED USER RIGHTS. If any user accounts have been assigned rights that they are not authorized, then this is a finding.

Check Text ( C-18042r1_chk )

Further policy details.
Note: If an account listed has been deleted from the system such as the Support_388945a0 account, the Gold Disk may incorrectly report the account as a finding. If the account does not exist on a system it would not be a finding.

Note: The Gold Disk will remediate all User Rights EXCEPT “Manage auditing and security log”. It will report any users/groups with this User Right for review since the site can determine what the “Auditors” group will be named.
-------------------------------------------------------

LIST OF AUTHORIZED USER RIGHTS

Access this computer from network – Administrators, Authenticated Users, Enterprise Domain Controllers

Act as part of the operating system – See separate vulnerability V0001102

Add workstations to domain – Administrators

Adjust memory quotas for a process – Administrators, Local Service, Network Service

Allow log on locally – Administrators, Backup Operators

Allow log on through Terminal Services – (None)

Backup files and directories – Administrators, Backup Operators

Bypass traverse checking – Authenticated Users

Change the system time – Administrators, Local Service

Create a pagefile – Administrators

Create a token object – (None)

Create global objects – Administrators, Service

Create permanent shared objects – (None)

Debug programs – See separate vulnerability V0018010

Deny access to this computer from the network – See separate vulnerability V0001155

Deny logon as a batch job – Guests, Support_388945a0

Deny logon as a service – (None)

Deny logon locally – Guests, Support_388945a0

Deny logon through Terminal Services – Everyone (replace with Guests if configured as a terminal server or remote administration only)

Enable computer and user accounts to be trusted for delegation – Administrators

Force shutdown from a remote system – Administrators

Generate security audits – Local Service, Network Service

Impersonate a client after authentication – Administrators, Service

Increase scheduling priority – Administrators

Load and unload device drivers – Administrators

Lock pages in memory – (None)

Log on as a batch job – (None)

Log on as a service – Network Service

Manage auditing and security log – “Auditor’s” Group (Exchange Enterprise Servers Group on Domain Controllers and Exchange Servers)

Modify firmware environment values – Administrators

Perform volume maintenance tasks – Administrators

Profile single process – Administrators

Profile system performance – Administrators

Remove computer from docking station – Administrators

Replace a process level token – Local Service, Network Service

Restore files and directories – Administrators, Backup Operators

Shut down the system – Administrators

Synchronize directory service data – Checked in DS STIG Checklist

Take ownership of files or other objects – Administrators

--------------------------------------------------------
Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation.

Check procedures:
1. Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.

2. Navigate to Local Policies -> User Rights Assignment.

3. Compare the User Rights to the list above titled LIST OF AUTHORIZED USER RIGHTS. If any user accounts have been assigned rights that they are not authorized, then this is a finding.

Fix Text (F-5747r1_fix)
Configure the system to prevent accounts from having unauthorized User Rights.