2.023 - Standard user accounts must only have Read permissions to the Winlogon registry key.

Information

Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have this capability there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.

Solution

Maintain permissions at least as restrictive as the defaults listed below for the 'WinLogon' registry key. It is recommended to not change the permissions from the defaults.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE

Columns: Name - Permission - Apply to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Special - Subkeys only
(Special = Full Control)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2008_MS_V6R46_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6(7), 800-53|CM-6, CAT|I, CCI|CCI-002235, CSCv6|3.1, Rule-ID|SV-33308r3_rule, STIG-ID|2.023, Vuln-ID|V-26070

Plugin: Windows

Control ID: 722bfec8b7e64bb8ada012016c3d95fd84a3b8539756e7cb97f93ba854a3a1b3