Details
This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users’ saved credentials might be compromised if this user right is assigned to other entities.
The recommended state for this setting is: No One.
Rationale:
If an account is given this right the user of the account may create an application that calls into Credential Manager and is returned the credentials for another user.
Impact:
None – this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to No One:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess Credential Manager as a trusted caller
Default Value:
No one.
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205749
Rule ID: SV-205749r569188_rule
STIG ID: WN19-UR-000010
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.