CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Scored)
ProfileApplicability:
Level 1 (L1) - Corporate/Enterprise Environment (general use)
Description:
This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.
The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE .
Note: This user right is considered a "sensitive privilege" for the purposes of auditing.
Rationale:
Users with the Replace a process level token privilege are able to start processes as other users whose credentials they know. They could use this method to hide their unauthorized actions on the computer. (OnWindows 2000-based computers, use of the Replace a process level token user right also requires the user to have the Adjust memory quotas for a process user right that is discussed earlier in this section.)
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.
Remediation:
To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE :
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token
142 | P a g e
Made with FlippingBook - Online magazine maker