UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

User rights assignments must meet minimum requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1103 4.010-DC SV-18398r3_rule ECLP-1 Medium
Description
Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user.
STIG Date
Windows 2003 Domain Controller Security Technical Implementation Guide 2014-12-13

Details

Check Text ( None )
None
Fix Text (F-53977r1_fix)
Configure User Rights as listed below to prevent groups or accounts from having unauthorized rights.

Access this computer from the network - Administrators, Authenticated Users, Enterprise Domain Controllers

Act as part of the operating system - See separate vulnerability V-1102

Add workstations to domain - Administrators

Adjust memory quotas for a process - Administrators, Local Service, Network Service

Allow log on locally - Administrators, Backup Operators

Allow log on through Terminal Services - (None)

Backup files and directories - Administrators, Backup Operators

Bypass traverse checking - Authenticated Users

Change the system time - Administrators, Local Service

Create a pagefile - Administrators

Create a token object - (None)

Create global objects - Administrators, Service

Create permanent shared objects - (None)

Debug programs - See separate vulnerability V-18010

Deny access to this computer from the network - See separate vulnerability V-1155

Deny log on as a batch job - See separate vulnerability V-26483

Deny log on as a service - See separate vulnerability V-26484

Deny log on locally - See separate vulnerability V-26485

Deny log on through Terminal Services - See separate vulnerability V-26486

Enable computer and user accounts to be trusted for delegation - Administrators

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - (None)

Log on as a batch job - (None)

Log on as a service - Network Service

Manage auditing and security log - "Auditor’s" Group (Exchange Enterprise Servers Group on Domain Controllers and Exchange Servers)

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators

Remove computer from docking station - Administrators

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators, Backup Operators

Shut down the system - Administrators

Synchronize directory service data - See separate vulnerability V-12780

Take ownership of files or other objects - Administrators

Document any exceptions with the IAO.