CCE-99312-1Platform: cpe:/o:microsoft:windows_11 | Date: (C)2023-03-11 (M)2023-07-07 |
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.
Default: Network Service, Local Service.
Countermeasure:
For member servers, ensure that only the Local Service and Network Service accounts have the Replace a process level token user right.
Potential Impact:
On most computers, this is the default configuration and there will be no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Replace a process level token privilege to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM_<ComputerName> accounts be explicitly granted this user right.
Fix:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
(2) REG: ###
(3) WMI: root
sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeAssignPrimaryTokenPrivilege' and precedence=1
Parameter:
[list_of_users_followed_by_comma]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight=SeAssignPrimaryTokenPrivilege and precedence=1
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.8 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87986 |