[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-34910-0

Platform: cpe:/o:microsoft:windows_8.1Date: (C)2015-10-14   (M)2023-07-04



Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal?s claims from the client?s account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8. This setting should be set to automatic (default) so that the file server can automatically evaluate whether claims are needed for the user. An administrator would want to set this setting explicitly to ?Enabled? only if there are local file access policies that include user claims. When enabled this security setting will cause the Windows file server to examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 8 domain controller in the client?s account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied. If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.


Parameter:

[default/enable/disable]


Technical Mechanism:

(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options!Microsoft network server: Attempt S4U2Self to obtain claim information (2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters!EnableS4U2SelfForClaims

CCSS Severity:CCSS Metrics:
CCSS Score : 6.5Attack Vector: NETWORK
Exploit Score: 2.2Attack Complexity: HIGH
Impact Score: 4.2Privileges Required: NONE
Severity: MEDIUMUser Interaction: NONE
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:HScope: UNCHANGED
 Confidentiality: LOW
 Integrity: NONE
 Availability: HIGH
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:29614


OVAL    1
oval:org.secpod.oval:def:29614
XCCDF    1
xccdf_org.secpod_benchmark_general_Windows_8_1

© SecPod Technologies