2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Information

This security setting is used by Credential Manager during Backup and Restore.

No accounts should have this user right, as it is only assigned to Winlogon.

Users' saved credentials might be compromised if this user right is assigned to other entities.

The recommended state for this setting is: 'No One'.

Solution

To establish the recommended configuration via GP, set the following UI path to 'No One':

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller

See Also

https://workbench.cisecurity.org/files/1941