CCE-2407-5Platform: cpe:/o:microsoft:windows_xp | Date: (C)2012-03-13 (M)2023-07-04 |
Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool.
You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configuration tool. By default, administrators are able to make such changes.
If the status is set to Enabled, the Permissions tab in the Remote Desktop Session Host Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are Read Only.
If the status is set to Disabled or Not Configured, server administrators have full Read/Write privileges to the user security descriptors on the Permissions tab in the Remote Desktop Session Host Configuration tool.
Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
Countermeasure:
Configure this setting depending on your organization's requirements.
Potential Impact:
The Permissions tab in the Remote Desktop Session Host Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group by local server administrators.
Parameter:
[enabled/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Do not allow local administrators to customize permissions
(2) REG: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services!fWritableTSCCPermTab
CCSS Severity: | CCSS Metrics: |
CCSS Score : 6.7 | Attack Vector: NETWORK |
Exploit Score: 1.2 | Attack Complexity: LOW |
Impact Score: 5.5 | Privileges Required: HIGH |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:15133 |
BITS Shared Assessments SIG v6.0 | BITS Shared Assessments SIG v6.0 |
Jericho Forum | Jericho Forum |
HIPAA/HITECH Act | HIPAA/HITECH Act |
FedRAMP Security Controls(Final Release Jan 2012)--LOW IMPACT LEVEL-- | FedRAMP Security Controls(Final Release Jan 2012)--LOW IMPACT LEVEL-- |
ISO/IEC 27001-2005 | ISO/IEC 27001-2005 |
COBIT 4.1 | COBIT 4.1 |
GAPP (Aug 2009) | GAPP (Aug 2009) |
NERC CIP | NERC CIP |
NIST SP800-53 R3 | NIST SP800-53 R3 CM-5 |
NIST SP800-53 R3 | NIST SP800-53 R3 CM-6 |
PCIDSS v2.0 | PCIDSS v2.0 |
FedRAMP Security Controls(Final Release Jan 2012)--MODERATE IMPACT LEVEL-- | FedRAMP Security Controls(Final Release Jan 2012)--MODERATE IMPACT LEVEL-- |
BITS Shared Assessments AUP v5.0 | BITS Shared Assessments AUP v5.0 |