User Right Assignment: Debug Programs
|ID: oval:org.secpod.oval:def:36494||Date: (C)2016-08-05 (M)2018-03-15|
|Class: COMPLIANCE||Family: windows|
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
Assigning this user right can be a security risk. Only assign this user right to trusted users.
Note: Microsoft released several security updates in October 2003 that used a version of Update.exe that required the administrator to have the Debug programs user right. Administrators who did not have this user right were unable to install these security updates until they reconfigured their user rights. This is not typical behavior for operating system updates. For more information, see Knowledge Base article 830846: 'Windows Product Updates may stop responding or may use most or all the CPU resources.'
Remove the accounts of all users and groups that do not require the Debug programs user right.
If you revoke this user right, no one will be able to debug programs. However, typical circumstances rarely require this capability on production computers. If a problem arises that requires an application to be debugged on a production server, you can move the server to a different OU temporarily and assign the Debug programs user right to a separate Group Policy for that OU.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeDebugPrivilege' and precedence=1
|Microsoft Windows 10|