Impersonate a client after authentication
|ID: oval:org.secpod.oval:def:36527||Date: (C)2016-08-05 (M)2017-11-21|
|Class: COMPLIANCE||Family: windows|
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
Assigning this user right can be a security risk. Only assign this user right to trusted users.
Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.
In addition, a user can also impersonate an access token if any of the following conditions exist.
The access token that is being impersonated is for this user.
The user, in this logon session, created the access token by logging on to the network with explicit credentials.
The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need this user right.
For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK.
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
On member servers, ensure that only the Administrators and Service groups have the Impersonate a client after authentication user right assigned to them. Computers that run IIS 6.0 must have this user right assigned to the IIS_WPG group (which grants it to the Network Service account).
In most cases this configuration will have no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the Impersonate a client after authentication user right to additional accounts that are required by those components, such as IUSR_<ComputerName>, IIS_WPG, ASP.NET or IWAM_<ComputerName>.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeImpersonatePrivilege' and precedence=1
|Microsoft Windows 10|