| | | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected]. | | | |
Tim’s Tech Blurbs
Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.
Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)
If you ask the Security team, the answer is a yes. We should set them.
Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.
Policy Setting Name | Windows 10 |
---|---|
Access Credential Manager as a trusted caller | No One (Blank) |
Access this computer from the network | Administrators; Remote Desktop Users |
Act as part of the operating system | No One (Blank) |
Allow log on locally | Administrators; Users |
Back up files and directories | Administrators |
Create a pagefile | Administrators |
Create a token object | No One (Blank) |
Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE |
Create permanent shared objects | No One (Blank) |
Debug programs | Administrators |
Deny access to this computer from the network | NT AUTHORITY\Local Account |
Deny log on through Remote Desktop Services | NT AUTHORITY\Local Account |
Enable computer and user accounts to be trusted for delegation | No One (blank) |
Force shutdown from a remote system | Administrators |
Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service |
Load and unload device drivers | Administrators |
Lock pages in memory | No One (blank) |
Manage auditing and security log | Administrators |
Modify firmware environment values | Administrators |
Perform volume maintenance tasks | Administrators |
Profile single process | Administrators |
Restore files and directories | Administrators |
Take ownership of files or other objects | Administrators |
First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.
Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.
Now we check the local account and we get S-1-5-113.
Account | SID |
---|---|
Administrators | S-1-5-32-544. |
Local Account | S-1-5-113 |
Local Service | S-1-5-19 |
Network Service | S-1-5-20 |
Service | S-1-5-6 |
So Lets set up a polcy. Lets open Endpoint Mananger.
Goto Devices -> Configuration Profiles. Select Add new.
Select “Windows 10 and Later” and Custom in the profile
Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.
Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.
Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)
Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.
Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.
You should also do the testing on a test machine. Just in case you lock your self out.
NAme | OAM-URI | Setting / SID’s |
---|---|---|
URA – Load and unload device drivers | ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers | *S-1-5-32-544 |
URA – Generate security audits | ./Device/Vendor/MSFT/Policy/Config/UserRights/GenerateSecurityAudits | *S-1-5-20;*S-1-5-19; |
URA – Access this computer from the network | ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork | *S-1-5-32-555;*S-1-5-32-544 |
URA – Enable computer and user accounts to be trusted for delegation | ./Device/Vendor/MSFT/Policy/Config/UserRights/EnableDelegation | </> |
URA – Access Credential Manager as a trusted caller | ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller | </> |
URA – Act as part of the operating system | ./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem | </> |
URA – Allow log on locally | ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn | *S-1-5-32-545;*S-1-5-32-544 |
URA – Back up files and directories | ./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories | *S-1-5-32-544 |
URA – Create a pagefile | ./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePageFile | *S-1-5-32-544 |
URA – Create a token object | ./Device/Vendor/MSFT/Policy/Config/UserRights/CreateToken | </> |
URA – Create global objects | ./Device/Vendor/MSFT/Policy/Config/UserRights/CreateGlobalObjects | *S-1-5-20;*S-1-5-19;*S-1-5-6;*S-1-5-32-544 |
URA – Create permanent shared objects | ./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePermanentSharedObjects | </> |
URA – Create symbolic links | ./Device/Vendor/MSFT/Policy/Config/UserRights/CreateSymbolicLinks | </> |
URA – Debug programs | ./Device/Vendor/MSFT/Policy/Config/UserRights/DebugPrograms | *S-1-5-32-544 |
URA – Deny access to this computer from the network | ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyAccessFromNetwork | S-1-5-32-546 |
URA – Deny log on as a service | ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn | *S-1-5-32-546 |
URA – Deny log on through Terminal Services | ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyRemoteDesktopServicesLogOn | *S-1-5-32-546 |
URA – Force shutdown from a remote system | ./Device/Vendor/MSFT/Policy/Config/UserRights/RemoteShutdown | *S-1-5-32-544 |
URA – Impersonate a client after authentication | ./Device/Vendor/MSFT/Policy/Config/UserRights/ImpersonateClient | *S-1-5-20;*S-1-5-19;*S-1-5-6;*S-1-5-32-544 |
URA – Increase scheduling priority’ is set to ‘Administrators | ./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseSchedulingPriority | *S-1-5-32-544 |
URA – Load and unload device drivers | ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers | *S-1-5-32-544 |
URA – Lock pages in memory | ./Device/Vendor/MSFT/Policy/Config/UserRights/LockMemory | </> |
URA – Manage auditing and security log | ./Device/Vendor/MSFT/Policy/Config/UserRights/ManageAuditingAndSecurityLog | *S-1-5-32-544 |
URA – Modify an object label | ./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyObjectLabel | </> |
URA – Modify firmware environment values | ./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyFirmwareEnvironment | *S-1-5-32-544 |
URA – Perform volume maintenance tasks | ./Device/Vendor/MSFT/Policy/Config/UserRights/ManageVolume | *S-1-5-32-544 |
URA – Profile single process | ./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSingleProcess | *S-1-5-32-544 |
URA – Restore files and directories | ./Device/Vendor/MSFT/Policy/Config/UserRights/RestoreFilesAndDirectories | *S-1-5-32-544 |
URA – Take ownership of files or other objects | ./Device/Vendor/MSFT/Policy/Config/UserRights/TakeOwnership | *S-1-5-32-544 |
URA – Change the system time | ./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime | *S-1-5-32-544;*S-1-5-6 |
How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.
Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege
Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.
Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college
Privacy overview.
Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-220976 | WN10-UR-000120 | SV-220976r569187_rule | Medium |
Description |
---|
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker. |
STIG | Date |
---|---|
2021-08-18 |
Check Text ( C-22691r555413_chk ) |
---|
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Load and unload device drivers" user right, this is a finding: Administrators |
Fix Text (F-22680r555414_fix) |
---|
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to only include the following groups or accounts: Administrators |
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting.
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Device drivers run as highly privileged code.
Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the computer. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices.
Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.
This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.
Constant: SeLoadDriverPrivilege
User-defined list of accounts
Not Defined
GPO_name \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy | Not defined |
Default Domain Controller Policy | Administrators Print Operators |
Stand-Alone Server Default Settings | Administrators |
Domain Controller Effective Default Settings | Administrators Print Operators |
Member Server Effective Default Settings | Administrators |
Client Computer Effective Default Settings | Administrators |
There are no differences in the way this policy setting works between the supported versions of Windows that are designated in the Applies To list at the beginning of this topic.
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
Local policy settings
Site policy settings
Domain policy settings
OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Device drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malicious software that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
Do not assign the Load and unload device drivers user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.
If you remove the Load and unload device drivers user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
User Rights Assignment
IMAGES
VIDEO
COMMENTS
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows a user to load device drivers dynamically on a system. This could be used by an attacker to install malicious code.
User Rights Assignment. Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
This tutorial will show you how to change User Rights Assignment security policy settings to control users and groups ability to perform tasks in Windows 10. You must be signed in as an administrator to change User Rights Assignment.
local computer policy > computer configuration > windows settings > security settings > local policies > user rights assignment > Load and unload device drivers > add specific user/group. The only thing that works is by adding my non admin user into the admin user group, this works fine.
The issue is with the group policy "load and unload device drivers". Computer configuration -> Policies -> windows settings -> security settings -> local policies -> user rights assignment -> load and unload device drivers.
Load and unload device drivers. AKA: SeLoadDriverPrivilege, Load and unload device drivers. Default assignment: Administrators. This highly sensitive right allows you to load executable code into kernel mode where device drivers run.
Lets open Endpoint Mananger. Goto Devices -> Configuration Profiles. Select Add new. Select “Windows 10 and Later” and Custom in the profile. Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save. Lets Start with “Load and unload device drivers.”.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions.
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker. STIG.
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Device drivers run as highly privileged code.