Check: WN08-UR-000039
Windows 8/8.1 STIG:
WN08-UR-000039
(in versions v1 r23 through v1 r16)
Title
Unauthorized accounts must not have the Replace a process level token user right. (Cat II impact)
Discussion
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Replace a process level token" user right allows one process or service to start another process or service with a different security access token. A user with this right could use this to impersonate another account.
Check Content
Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding: Local Service Network Service
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Replace a process level token" to only include the following accounts or groups: Local Service Network Service
Additional Identifiers
Rule ID: SV-48512r2_rule
Vulnerability ID: V-26503
Group Title: Replace a process level token
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
Prevent non-privileged users from executing privileged functions. |
Controls
Number | Title |
---|---|
AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions |