Impersonate a client after authentication

Information

Impersonate a client after authentication

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default:

Administrators
Local Service
Network Service
Service

Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.

In addition, a user can also impersonate an access token if any of the following conditions exist.

The access token that is being impersonated is for this user.
The user, in this logon session, created the access token by logging on to the network with explicit credentials.
The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need this user right.

For more information, search for 'SeImpersonatePrivilege' in the Microsoft Platform SDK.

Warning

If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.

Solution

Policy Path: User Rights Assignments
Policy Setting Name: Impersonate a client after authentication

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b)

Plugin: Windows

Control ID: 03404bbfc27ebb1768d6ee5738a4006c5f91fc1f0cd4f5320fd73bb6223e67f3