This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerability: Users who have the Create permanent shared objects user right could create new shared objects and expose sensitive data to the network. Counter Measure: Do not assign the Create permanent shared objects user right to any users. Processes that require this user right should use the System account (which already includes this user right) instead of a separate user account. Potential Impact: None. This is the default configuration. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects (2) REG: NO INFO

[default]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects (2) REG: NO INFO