Check: 3.055
Windows Vista STIG:
3.055
(in versions v6 r42 through v6 r41)
Title
The default permissions of Global system objects are not increased. (Cat III impact)
Discussion
Windows system maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.
Check Content
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)” is not set to “Enabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)” to “Enabled”.
Additional Identifiers
Rule ID: SV-29222r1_rule
Vulnerability ID: V-1173
Group Title: Global System Objects Permission Strength
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |