Act as part of the operating system
|ID: oval:org.secpod.oval:def:36553||Date: (C)2016-08-05 (M)2018-07-10|
|Class: COMPLIANCE||Family: windows|
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.
Assigning this user right can be a security risk. Only assign this user right to trusted users.
Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which has this privilege inherently. Do not create a separate account and assign this user right to it.
There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeTcbPrivilege' and precedence=1
|Microsoft Windows 10|