2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.

The recommended state for this setting is: No One.

Rationale:

If an account is given this right the user of the account may create an application that calls into Credential Manager and is returned the credentials for another user.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to No One:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller


Default Value:

No one.

Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021

Vul ID: V-225070
Rule ID: SV-225070r569186_rule
STIG ID: WN16-UR-000010
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476