User rights assignments must meet minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1103	4.010	SV-18392r3_rule		Medium

Description
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities not required by the normal user.

STIG	Date
Windows Vista Security Technical Implementation Guide	2016-10-28

Details

Check Text ( None )
None

Fix Text (F-67155r2_fix)
Configure the policy values for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> as listed below: Access this computer from the network - Administrators Act as part of the operating system - See separate requirement V-1102 Adjust memory quotas for a process - Administrators, Local Service, Network Service Allow log on locally - Administrators, Users Allow log on through Terminal Services - (None) Backup files and directories - Administrators Bypass traverse checking - Administrators, Users, Local Service, Network Service Change the system time - Administrators, Local Service Change the time zone - Administrators, Users, Local Service Create a pagefile - Administrators Create a token object - (None) Create global objects - Administrators, Service, Local Service, Network Service Create permanent shared objects - (None) Create symbolic links - Administrators Debug programs - See separate requirement V-18010 Deny access to this computer from the network - See separate requirement V-1155 Deny log on as a batch job - See separate requirement V-26483 Deny log on as a service - See separate requirement V-26484 Deny log on locally - See separate requirement V-26485 Deny log on through Terminal Services - See separate requirement V-26486 Enable computer and user accounts to be trusted for delegation - (None) Force shutdown from a remote system - Administrators Generate security audits - Local Service, Network Service Impersonate a client after authentication - Administrators, Service, Local Service, Network Service Increase a process working set - Administrators, Local Service Increase scheduling priority - Administrators Load and unload device drivers - Administrators Lock pages in memory - (None) Log on as a batch job - (None) Log on as a service - (None) Manage auditing and security log - Administrators If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding. Modify an object label - (None) Modify firmware environment values - Administrators Perform volume maintenance tasks - Administrators Profile single process - Administrators Profile system performance - Administrators Remove computer from docking station - Administrators, Users Replace a process level token - Local Service, Network Service Restore files and directories - Administrators Shut down the system - Administrators, Users Take ownership of files or other objects - Administrators

Fix Text (F-67155r2_fix)

Configure the policy values for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> as listed below:

Access this computer from the network - Administrators

Act as part of the operating system - See separate requirement V-1102

Adjust memory quotas for a process - Administrators, Local Service, Network Service

Allow log on locally - Administrators, Users

Allow log on through Terminal Services - (None)

Backup files and directories - Administrators

Bypass traverse checking - Administrators, Users, Local Service, Network Service

Change the system time - Administrators, Local Service

Change the time zone - Administrators, Users, Local Service

Create a pagefile - Administrators

Create a token object - (None)

Create global objects - Administrators, Service, Local Service, Network Service

Create permanent shared objects - (None)

Create symbolic links - Administrators

Debug programs - See separate requirement V-18010

Deny access to this computer from the network - See separate requirement V-1155

Deny log on as a batch job - See separate requirement V-26483

Deny log on as a service - See separate requirement V-26484

Deny log on locally - See separate requirement V-26485

Deny log on through Terminal Services - See separate requirement V-26486

Enable computer and user accounts to be trusted for delegation - (None)

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service, Local Service, Network Service

Increase a process working set - Administrators, Local Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - (None)

Log on as a batch job - (None)

Log on as a service - (None)

Manage auditing and security log - Administrators
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.

Modify an object label - (None)

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators

Remove computer from docking station - Administrators, Users

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators

Shut down the system - Administrators, Users

Take ownership of files or other objects - Administrators