2.2.45 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

Information

This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.

The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE

Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.

Note #2: A Member Server that holds the

Web Server (IIS)

Role with

Web Server

Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right.

Note #3: A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.

Users with the Replace a process level token privilege are able to start processes as other users whose credentials they know. They could use this method to hide their unauthorized actions on the computer. (On Windows 2000-based computers, use of the Replace a process level token user right also requires the user to have the Adjust memory quotas for a process user right that is discussed earlier in this section.)

Solution

To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token

Impact:

On most computers, this is the default configuration and there will be no negative impact. However, if you have installed the

Web Server (IIS)

Role with

Web Services

Role Service, you will need to allow the IIS application pool(s) to be granted this User Right Assignment.

See Also

https://workbench.cisecurity.org/benchmarks/16913