Standard user accounts must only have Read permissions to the Winlogon registry key.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26070 | WN12-RG-000001 | SV-53123r1_rule | ECCD-1 ECCD-2 | High |
| Description |
|---|
| Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have this capability, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system. |
| STIG | Date |
|---|---|
| Windows Server 2012 Domain Controller Security Technical Implementation Guide | 2014-01-07 |
Details
| Check Text ( C-47429r1_chk ) |
|---|
| Navigate to the following registry key and review the assigned permissions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Standard user accounts and groups must only have Read permissions to this registry key. If any standard user accounts or groups have greater permissions, this is a finding. The default permissions satisfy this requirement. |
| Fix Text (F-46049r1_fix) |
|---|
| Ensure only Read permissions are assigned to standard user accounts and groups for the following registry key. The default configuration satisfies this requirement. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |