STIGQter STIGQter: STIG Summary: Windows 2008 Member Server Security Technical Implementation Guide Version: 6 Release: 43 Benchmark Date: 26 Jul 2019: Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.

DISA Rule

SV-47846r2_rule

Vulnerability Number

V-36439

Group Title

Local admin accounts filtered token policy enabled on domain systems.

Rule Version

WINRG-000003-MS

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Value Name: LocalAccountTokenFilterPolicy

Type: REG_DWORD
Value: 0

Check Contents

If the system is not a member of a domain, this is NA.
If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Value Name: LocalAccountTokenFilterPolicy

Type: REG_DWORD
Value: 0

This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required.

Vulnerability Number

V-36439

Documentable

False

Rule Version

WINRG-000003-MS

Severity Override Guidance

If the system is not a member of a domain, this is NA.
If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Value Name: LocalAccountTokenFilterPolicy

Type: REG_DWORD
Value: 0

This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required.

Check Content Reference

M

Target Key

1340

Comments