User Right Assignments (Windows)

Objective:

  • Audit “User Rights Assignment”
  • Hardening / Configuring “User Rights Assignment”

Overview

“User Rights Assignments” can be configured via Group Policy.

Available User Rights

 

Policy Name Stigviewer Finding ID UserRight
Access Credential Manager as a trusted caller V-26469 SeTrustedCredManAccessPrivilege
Access this computer from the network V-26470 SeNetworkLogonRight
Act as part of the operating system V-1102 SeTcbPrivilege
Add workstations to domain V-30016 SeMachineAccountPrivilege
Adjust memory quotas for a process V-26471 SeIncreaseQuotaPrivilege
Allow log on locally V-26472 SeInteractiveLogonRight
Allow log on through Remote Desktop Services V-26473 SeRemoteInteractiveLogonRight
Back up files and directories V-26474 SeBackupPrivilege
Bypass traverse checking V-26475 SeChangeNotifyPrivilege
Change the system time V-26476 SeSystemTimePrivilege
Change the time zone V-26477 SeTimeZonePrivilege
Create a pagefile V-26478 SeCreatePagefilePrivilege
Create a token object V-26479 SeCreateTokenPrivilege
Create global objects V-26480 SeCreateGlobalPrivilege
Create permanent shared objects V-26481 SeCreatePermanentPrivilege
Create symbolic links V-26482 SeCreateSymbolicLinkPrivilege
Debug programs V-18010 SeDebugPrivilege
Deny access to this computer from the network V-1155 SeDenyNetworkLogonRight
Deny log on as a batch job V-26483 SeDenyBatchLogonRight
Deny log on as a service V-26484 SeDenyServiceLogonRight
Deny log on locally V-26485 SeDenyInteractiveLogonRight
Deny log on through Remote Desktop Services V-26486 SeDenyRemoteInteractiveLogonRight
Enable computer and user accounts to be trusted for delegation V-26487 SeEnableDelegationPrivilege
Force shutdown from a remote system V-26488 SeRemoteShutdownPrivilege
Generate security audits V-26489 SeAuditPrivilege
Impersonate a client after authentication V-26490 SeImpersonatePrivilege
Increase a process working set V-26491 SeIncreaseWorkingSetPrivilege
Increase scheduling priority V-26492 SeIncreaseBasePriorityPrivilege
Load and unload device drivers V-26493 SeLoadDriverPrivilege
Lock pages in memory V-26494 SeLockMemoryPrivilege
Log on as a batch job V-26495 SeBatchLogonRight
Log on as a service V-26484 SeDenyServiceLogonRight
Manage auditing and security log V-26496 SeSecurityPrivilege
Modify an object label V-26497 SeReLabelPrivilege
Modify firmware environment values V-26498 SeSystemEnvironmentPrivilege
Perform volume maintenance tasks V-26499 SeManageVolumePrivilege
Profile single process V-26500 SeProfileSingleProcessPrivilege
Profile system performance V-26501 SeSystemProfilePrivilege
Remove computer from docking station SeUndockPrivilege
Replace a process level token V-26503 SeAssignPrimaryTokenPrivilege
Restore files and directories V-26504 SeRestorePrivilege
Shut down the system V-26505 SeShutdownPrivilege
Synchronize directory service data V-12780 SeSyncAgentPrivilege
Take ownership of files or other objects V-26506 SeTakeOwnershipPrivilege

Get Current Configuration:

Powershell

Get-WmiObject -NameSpace Root\RSOP\Computer -Class RSOP_UserPrivilegeRight | Select userright, Accountlist

Via secedit:

secedit /export /areas USER_RIGHTS /cfg OUTFILE.CFG

Via accesschk.exe  (Sysinternals Suite)

accesschk.exe -a *

Nessus audit file check

Nessus can verify the “User Rights Assignments” via an auditfile.
Examples show below:

<custom_item>
 type: USER_RIGHTS_POLICY
 description: "CCE-24460-8:Deny log on locally:W2K12"
 info: "Windows Server 2012"
 value_type: USER_RIGHT
 value_data: "Guests"
 right_type: SeDenyInteractiveLogonRight
</custom_item>

or

<custom_item>
 type : AUDIT_POWERSHELL
 description : "CCE-24460-8:Deny log on locally:W2K12"
 info : "Windows Server 2012"
 value_type : POLICY_TEXT
 value_data : ""
 powershell_args : 'Get-WmiObject -NameSpace Root\\RSOP\\Computer -Class RSOP_PolicySetting | Where {$_.UserRight -match \'SeDenyInteractiveLogonRight\' -and $_.precedence -eq 1 -and $_.Accountlist -ne $null} | Select -ExpandProperty Accountlist | Where { $_ -ne \\"guests\\" }'
 check_type : CHECK_EQUAL
 powershell_option : CAN_BE_NULL
</custom_item>

 

References: