Standard user accounts must only have Read permissions to the Winlogon registry key.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-26070	WN12-RG-000001	SV-53123r4_rule		High

Description
Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.

STIG	Date
Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide	2017-12-05

Details

Check Text ( C-74017r2_chk )
Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Right-click on "WinLogon" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Applies to - This key and subkeys Columns: Principal - Access TrustedInstaller - Full Control SYSTEM - Full Control Administrators - Full Control Users - Read ALL APPLICATION PACKAGES - Read

Check Text ( C-74017r2_chk )

Run "Regedit".
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Right-click on "WinLogon" and select "Permissions…".
Select "Advanced".

If the permissions are not as restrictive as the defaults listed below, this is a finding.

The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Applies to - This key and subkeys

Columns: Principal - Access
TrustedInstaller - Full Control
SYSTEM - Full Control
Administrators - Full Control
Users - Read
ALL APPLICATION PACKAGES - Read

Fix Text (F-80413r1_fix)
Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Applies to - This key and subkeys Columns: Principal - Access TrustedInstaller - Full Control SYSTEM - Full Control Administrators - Full Control Users - Read ALL APPLICATION PACKAGES - Read

Fix Text (F-80413r1_fix)

Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Applies to - This key and subkeys

Columns: Principal - Access
TrustedInstaller - Full Control
SYSTEM - Full Control
Administrators - Full Control
Users - Read
ALL APPLICATION PACKAGES - Read