Details
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
The recommended state for this setting is: No One.
Note: This user right is considered a ‘sensitive privilege’ for the purposes of auditing.
Rationale:
The Act as part of the operating system user right is extremely powerful. Anyone with this user right can take complete control of the computer and erase evidence of their activities.
Impact:
There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account, which implicitly has this right.
Solution
To establish the recommended configuration via GP, set the following UI path to No One:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system
Default Value:
No one.
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205750
Rule ID: SV-205750r569188_rule
STIG ID: WN19-UR-000020
Severity: CAT I
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.