2.023 - Standard user accounts must only have Read permissions to the Winlogon registry key.

Information

Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have this capability there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.

Solution

Maintain permissions at least as restrictive as the defaults listed below for the 'WinLogon' registry key. It is recommended to not change the permissions from the defaults.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

The following are the same for each permission listed:
Type - Allow
Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Apply to - This key and subkeys

Columns: Name - Permission
TrustedInstaller - Full Control
SYSTEM - Full Control
Administrators - Full Control
Users - Read

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2008_R2_MS_V1R33_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6(7), 800-53|CM-6, CAT|I, CCI|CCI-002235, CSCv6|3.1, Rule-ID|SV-33310r3_rule, STIG-ID|2.023, Vuln-ID|V-26070

Plugin: Windows

Control ID: 9460b19f79cd3050e9fdfa2dc7a3199eddf7680ecea85b2be0a7b8b27ce49c9c