Navigate

Check: WN11-UR-000045

Microsoft Windows 11 STIG: WN11-UR-000045 (in versions v1 r6 through v1 r1)

Title

The "Create a token object" user right must not be assigned to any groups or accounts. (Cat I impact)

Discussion

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.

Check Content

Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Create a token object" user right, this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).

Additional Identifiers

Rule ID: SV-253486r877392_rule

Vulnerability ID: V-253486

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002205	The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.
CCI-002235	The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4 (17)	Domain Authentication
AC-6 (10)	Prohibit Non-Privileged Users From Executing Privileged Functions