2.2.5 Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows a user to adjust the maximum amount of memory that is available to a process.

The ability to adjust memory quotas is useful for system tuning, but it can be abused.

In the wrong hands, it could be used to launch a denial of service (DoS) attack.

The recommended state for this setting is: 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.

Note: A Member Server that holds the _Web Server (IIS)_ Role with _Web Server_ Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right.

Note #2: A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, NETWORK SERVICE:'

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process

See Also

https://workbench.cisecurity.org/files/1941