SV-18393r4_rule
V-1103
User Rights Assignments
4.010-MS
CAT II
10
Configure the policy values for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> as listed below:
Access Credential Manager as a trusted caller - (None)
Access this computer from the network - Administrators, Authenticated Users
Act as part of the operating system - See separate requirement V-1102
Allow log on locally - Administrators
Allow log on through Terminal Services - Administrators
Backup files and directories - Administrators
Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service
Change the system time - Administrators, Local Service
Change the time zone - Administrators, Local Service
Create a pagefile - Administrators
Create a token object - (None)
Create global objects - Administrators, Service, Local Service, Network Service
Create permanent shared objects - (None)
Create symbolic links - Administrators
Debug programs - See separate requirement V-18010
Deny access to this computer from the network - See separate requirement V-1155
Deny log on as a batch job - See separate requirement V-26483
Deny log on as a service - See separate requirement V-26484
Deny log on locally - See separate requirement V-26485
Deny log on through Terminal Services - See separate requirement V-26486
Enable computer and user accounts to be trusted for delegation - Administrators
Force shutdown from a remote system - Administrators
Generate security audits - Local Service, Network Service
Impersonate a client after authentication - Administrators, Service, Local Service, Network Service
Increase scheduling priority - Administrators
Load and unload device drivers - Administrators
Lock pages in memory - (None)
Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.
Modify an object label - Administrators
Modify firmware environment values - Administrators
Perform volume maintenance tasks - Administrators
Profile single process - Administrators
Profile system performance - Administrators
Remove computer from docking station - Administrators
Replace a process level token - Local Service, Network Service
Restore files and directories - Administrators
Shut down the system - Administrators
Take ownership of files or other objects - Administrators
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies >> User Rights Assignment.
Compare the User Rights to the following list. If any groups or accounts are given rights that are not authorized below, this is a finding.
Access Credential Manager as a trusted caller - (None)
Access this computer from the network - Administrators, Authenticated Users
Act as part of the operating system - See separate requirement V-1102
Allow log on locally - Administrators
Allow log on through Terminal Services - Administrators
Backup files and directories - Administrators
Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service
Change the system time - Administrators, Local Service
Change the time zone - Administrators, Local Service
Create a pagefile - Administrators
Create a token object - (None)
Create global objects - Administrators, Service, Local Service, Network Service
Create permanent shared objects - (None)
Create symbolic links - Administrators
Debug programs - See separate requirement V-18010
Deny access to this computer from the network - See separate requirement V-1155
Deny log on as a batch job - See separate requirement V-26483
Deny log on as a service - See separate requirement V-26484
Deny log on locally - See separate requirement V-26485
Deny log on through Terminal Services - See separate requirement V-26486
Enable computer and user accounts to be trusted for delegation - Administrators
Force shutdown from a remote system - Administrators
Generate security audits - Local Service, Network Service
Impersonate a client after authentication - Administrators, Service, Local Service, Network Service
Increase scheduling priority - Administrators
Load and unload device drivers - Administrators
Lock pages in memory - (None)
Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.
Modify an object label - Administrators
Modify firmware environment values - Administrators
Perform volume maintenance tasks - Administrators
Profile single process - Administrators
Profile system performance - Administrators
Remove computer from docking station - Administrators
Replace a process level token - Local Service, Network Service
Restore files and directories - Administrators
Shut down the system - Administrators
Take ownership of files or other objects - Administrators
Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the ISSO. Acceptable forms of documentation include vendor published documents and application owner confirmation.
V-1103
True
4.010-MS
Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies >> User Rights Assignment.
Compare the User Rights to the following list. If any groups or accounts are given rights that are not authorized below, this is a finding.
Access Credential Manager as a trusted caller - (None)
Access this computer from the network - Administrators, Authenticated Users
Act as part of the operating system - See separate requirement V-1102
Allow log on locally - Administrators
Allow log on through Terminal Services - Administrators
Backup files and directories - Administrators
Bypass traverse checking - Administrators, Authenticated Users, Local Service, Network Service
Change the system time - Administrators, Local Service
Change the time zone - Administrators, Local Service
Create a pagefile - Administrators
Create a token object - (None)
Create global objects - Administrators, Service, Local Service, Network Service
Create permanent shared objects - (None)
Create symbolic links - Administrators
Debug programs - See separate requirement V-18010
Deny access to this computer from the network - See separate requirement V-1155
Deny log on as a batch job - See separate requirement V-26483
Deny log on as a service - See separate requirement V-26484
Deny log on locally - See separate requirement V-26485
Deny log on through Terminal Services - See separate requirement V-26486
Enable computer and user accounts to be trusted for delegation - Administrators
Force shutdown from a remote system - Administrators
Generate security audits - Local Service, Network Service
Impersonate a client after authentication - Administrators, Service, Local Service, Network Service
Increase scheduling priority - Administrators
Load and unload device drivers - Administrators
Lock pages in memory - (None)
Manage auditing and security log - Administrators; plus Exchange Enterprise Servers Group on Exchange Servers
If the organization has an "Auditors" group from previous requirements, the assignment of this group to the user right would not be a finding.
Modify an object label - Administrators
Modify firmware environment values - Administrators
Perform volume maintenance tasks - Administrators
Profile single process - Administrators
Profile system performance - Administrators
Remove computer from docking station - Administrators
Replace a process level token - Local Service, Network Service
Restore files and directories - Administrators
Shut down the system - Administrators
Take ownership of files or other objects - Administrators
Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the ISSO. Acceptable forms of documentation include vendor published documents and application owner confirmation.
M
Information Assurance Officer
1340