User rights and advanced user rights settings do not meet minimum requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1103 | 4.010 | SV-18393r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user. |
| STIG | Date |
|---|---|
| Windows 2008 Member Server Security Technical Implementation Guide | 2012-07-02 |
Details
| Check Text ( C-18037r1_chk ) |
|---|
| Windows 2008 Member Server Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. Compare the User Rights chart to the following list. If any unauthorized accounts are given rights that they are not authorized in the chart, then this is a finding. Access credential manager as a trusted caller – (None) Access this computer from network – Administrators, Authenticated Users Act as part of the operating system – See separate vulnerability 4.009/V0001102 Add workstations to domain – Not Defined Adjust memory quotas for a process – Administrators, Local Service, Network Service Allow log on locally – Administrators Allow log on through Terminal Services – Administrators Backup files and directories – Administrators Bypass traverse checking – Administrators, Authenticated Users, Local Service, Network Service Change the system time – Administrators, Local Service Change the time zone – Administrators, Local Service Create a pagefile – Administrators Create a token object – (None) Create global objects – Administrators, Service, Local Service, Network Service Create permanent shared objects – (None) Create symbolic link – Administrators Debug programs – See separate vulnerability 4.005/V0018010 Deny access to this computer from the network – See separate vulnerability 4.025/V0001155 Deny logon as a batch job – Guests Deny logon as a service – (None) Deny logon locally – Guests Deny log on through Terminal Services – Guests Enable computer and user accounts to be trusted for delegation – Administrators Force shutdown from a remote system – Administrators Generate security audits – Local Service, Network Service Impersonate a client after authentication – Administrators, Service, Local Service, Network Service Increase a process working set – Administrators, Local Service Increase scheduling priority – Administrators Load and unload device drivers – Administrators Lock pages in memory – (None) Log on as a batch job – Administrators Log on as a service – Not Defined Manage auditing and security log – “Auditor’s” Group; plus Exchange Enterprise Servers Group on Exchange Servers Modify an object label – Administrators Modify firmware environment values – Administrators Perform volume maintenance tasks – Administrators Profile single process – Administrators Profile system performance – Administrators Remove computer from docking station – Administrators Replace a process level token – Local Service, Network Service Restore files and directories – Administrators Shut down the system – Administrators Synchronize directory service data – Not Defined (Directory Services Checklist) Take ownership of files or other objects – Administrators Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation. |
| Fix Text (F-5747r1_fix) |
|---|
| Configure the system to prevent accounts from having unauthorized User Rights. |