UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

User rights and advanced user rights settings do not meet minimum requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1103 4.010 SV-18394r1_rule ECLP-1 Medium
Description
Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user.
STIG Date
Windows 2008 Domain Controller Security Technical Implementation Guide 2012-06-29

Details

Check Text ( C-18038r1_chk )
Windows 2008 Domain Controller

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.

Navigate to Local Policies -> User Rights Assignment.

Compare the User Rights to the following list. If any unauthorized accounts are given rights that they are not authorized in the chart, then this is a finding.

Access credential manager as a trusted caller – (None)

Access this computer from network – Administrators, Authenticated Users, Enterprise Domain Controllers

Act as part of the operating system – See separate vulnerability 4.009/V0001102

Add workstations to domain – Administrators

Adjust memory quotas for a process – Administrators, Local Service, Network Service

Allow log on locally – Administrators

Allow log on through Terminal Services – Administrators

Backup files and directories – Administrators

Bypass traverse checking – Administrators, Authenticated Users, Local Service, Network Service

Change the system time – Administrators, Local Service

Change the time zone – Administrators, Local Service

Create a pagefile – Administrators

Create a token object – (None)

Create global objects – Administrators, Service, Local Service, Network Service

Create permanent shared objects – (None)

Create symbolic link – Administrators

Debug programs – See separate vulnerability 4.005/V0018010

Deny access to this computer from the network – See separate vulnerability 4.025/V0001155

Deny logon as a batch job – Guests

Deny logon as a service – (None)

Deny logon locally – Guests

Deny log on through Terminal Services – Guests

Enable computer and user accounts to be trusted for delegation – Administrators

Force shutdown from a remote system – Administrators

Generate security audits – Local Service, Network Service

Impersonate a client after authentication – Administrators, Service, Local Service, Network Service

Increase a process working set – Administrators, Local Service

Increase scheduling priority – Administrators

Load and unload device drivers – Administrators

Lock pages in memory – (None)

Log on as a batch job – Administrators

Log on as a service – Not Defined

Manage auditing and security log – “Auditor’s” Group, Exchange Enterprise Servers Group

Modify an object label – Administrators

Modify firmware environment values – Administrators

Perform volume maintenance tasks – Administrators

Profile single process – Administrators

Profile system performance – Administrators

Remove computer from docking station – Administrators

Replace a process level token – Local Service, Network Service

Restore files and directories – Administrators

Shut down the system – Administrators

Synchronize directory service data – Not Defined (Directory Services Checklist)

Take ownership of files or other objects – Administrators

Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation.
Fix Text (F-5747r1_fix)
Configure the system to prevent accounts from having unauthorized User Rights.