Title

Standard user accounts must only have Read permissions to the Winlogon registry key. (Cat I impact)

Discussion

Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have this capability there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.

Check Content

Run "Regedit". Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Right-click on "WinLogon" and select "Permissions…". Select "Advanced". If the permissions are not as restrictive as the defaults listed below, this is a finding. The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE Columns: Name - Permission - Apply to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Special - Subkeys only (Special = Full Control)

Fix Text

Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ The following are the same for each permission listed: Type - Allow Inherited from - MACHINE\SOFTWARE Columns: Name - Permission - Apply to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Special - Subkeys only (Special = Full Control)

Additional Identifiers

Rule ID: SV-33308r3_rule

Vulnerability ID: V-26070

Group Title: Winlogon Registry Permissions

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.