STIGQter STIGQter: STIG Summary: Windows 2008 Member Server Security Technical Implementation Guide Version: 6 Release: 43 Benchmark Date: 26 Jul 2019: User rights assignments must meet minimum requirements.

DISA Rule

SV-18393r4_rule

Vulnerability Number

V-1103

Group Title

User Rights Assignments

Rule Version

4.010-MS

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the policy values for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> as listed below:

Access Credential Manager as a trusted caller - (None)

Access this computer from the network - Administrators, Authenticated Users

Act as part of the operating system - See separate requirement V-1102

Allow log on locally - Administrators

Allow log on through Terminal Services - Administrators

Backup files and directories - Administrators

Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service

Change the system time - Administrators, Local Service

Change the time zone - Administrators, Local Service

Create a pagefile - Administrators

Create a token object - (None)

Create global objects - Administrators, Service, Local Service, Network Service

Create permanent shared objects - (None)

Create symbolic links - Administrators

Debug programs - See separate requirement V-18010

Deny access to this computer from the network - See separate requirement V-1155

Deny log on as a batch job - See separate requirement V-26483

Deny log on as a service - See separate requirement V-26484

Deny log on locally - See separate requirement V-26485

Deny log on through Terminal Services - See separate requirement V-26486

Enable computer and user accounts to be trusted for delegation - Administrators

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service, Local Service, Network Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - (None)

Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.

Modify an object label - Administrators

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators

Remove computer from docking station - Administrators

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators

Shut down the system - Administrators

Take ownership of files or other objects - Administrators

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies >> User Rights Assignment.

Compare the User Rights to the following list. If any groups or accounts are given rights that are not authorized below, this is a finding.

Access Credential Manager as a trusted caller - (None)

Access this computer from the network - Administrators, Authenticated Users

Act as part of the operating system - See separate requirement V-1102

Allow log on locally - Administrators

Allow log on through Terminal Services - Administrators

Backup files and directories - Administrators

Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service

Change the system time - Administrators, Local Service

Change the time zone - Administrators, Local Service

Create a pagefile - Administrators

Create a token object - (None)

Create global objects - Administrators, Service, Local Service, Network Service

Create permanent shared objects - (None)

Create symbolic links - Administrators

Debug programs - See separate requirement V-18010

Deny access to this computer from the network - See separate requirement V-1155

Deny log on as a batch job - See separate requirement V-26483

Deny log on as a service - See separate requirement V-26484

Deny log on locally - See separate requirement V-26485

Deny log on through Terminal Services - See separate requirement V-26486

Enable computer and user accounts to be trusted for delegation - Administrators

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service, Local Service, Network Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - (None)

Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.

Modify an object label - Administrators

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators

Remove computer from docking station - Administrators

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators

Shut down the system - Administrators

Take ownership of files or other objects - Administrators

Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the ISSO. Acceptable forms of documentation include vendor published documents and application owner confirmation.

Vulnerability Number

V-1103

Documentable

True

Rule Version

4.010-MS

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies >> User Rights Assignment.

Compare the User Rights to the following list. If any groups or accounts are given rights that are not authorized below, this is a finding.

Access Credential Manager as a trusted caller - (None)

Access this computer from the network - Administrators, Authenticated Users

Act as part of the operating system - See separate requirement V-1102

Allow log on locally - Administrators

Allow log on through Terminal Services - Administrators

Backup files and directories - Administrators

Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service

Change the system time - Administrators, Local Service

Change the time zone - Administrators, Local Service

Create a pagefile - Administrators

Create a token object - (None)

Create global objects - Administrators, Service, Local Service, Network Service

Create permanent shared objects - (None)

Create symbolic links - Administrators

Debug programs - See separate requirement V-18010

Deny access to this computer from the network - See separate requirement V-1155

Deny log on as a batch job - See separate requirement V-26483

Deny log on as a service - See separate requirement V-26484

Deny log on locally - See separate requirement V-26485

Deny log on through Terminal Services - See separate requirement V-26486

Enable computer and user accounts to be trusted for delegation - Administrators

Force shutdown from a remote system - Administrators

Generate security audits - Local Service, Network Service

Impersonate a client after authentication - Administrators, Service, Local Service, Network Service

Increase scheduling priority - Administrators

Load and unload device drivers - Administrators

Lock pages in memory - (None)

Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.

Modify an object label - Administrators

Modify firmware environment values - Administrators

Perform volume maintenance tasks - Administrators

Profile single process - Administrators

Profile system performance - Administrators

Remove computer from docking station - Administrators

Replace a process level token - Local Service, Network Service

Restore files and directories - Administrators

Shut down the system - Administrators

Take ownership of files or other objects - Administrators

Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the ISSO. Acceptable forms of documentation include vendor published documents and application owner confirmation.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1340

Comments