2.2.43 Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer.

The recommended state for this setting is: Administrators, NT SERVICE\WdiServiceHost.

Rationale:

The Profile system performance user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might wish to attack directly. Attackers may also be able to determine what processes are active on the computer so that they could identify countermeasures that they may need to avoid, such as antivirus software or an intrusion detection system.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Administrators, NT SERVICE\WdiServiceHost:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance

Default Value:

Windows Server 2008 (non-R2): Administrators.

Windows Server 2008 R2 or newer: Administrators, NT SERVICE\WdiServiceHost.

See Also

https://workbench.cisecurity.org/benchmarks/12626