[Forgot Password]
Login  Register Subscribe

24436

 
 

131815

 
 

115190

 
 

909

 
 

90025

 
 

140

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-47295-1

Platform: win2016Date: (C)2017-08-03   (M)2018-07-10



"Create a token object" This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerability: A user account that is given this user right has complete control over the system and can lead to the system being compromised. It is highly recommended that you do not assign any user accounts this right. The operating system examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local computer or connect to a remote computer over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their own privileges or create a DoS condition. Counter Measure: Do not assign the Create a token object user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. Potential Impact: None. This is the default configuration.


Parameter:


Technical Mechanism: Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment (2) REG: No Registry Info

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40222


OVAL    1
oval:org.secpod.oval:def:40222
XCCDF    4
xccdf_org.secpod_benchmark_general_Windows_Server_2016
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_Server_2016
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_Server_2016
xccdf_org.secpod_benchmark_PCI_3_2_Windows_Server_2016
...

© SecPod Technologies