Details
This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.
The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE.
Note: This user right is considered a ‘sensitive privilege’ for the purposes of auditing.
Rationale:
Users with the Replace a process level token privilege are able to start processes as other users whose credentials they know. They could use this method to hide their unauthorized actions on the computer. (On Windows 2000-based computers, use of the Replace a process level token user right also requires the user to have the Adjust memory quotas for a process user right that is discussed earlier in this section.)
Solution
To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK SERVICE:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token
Impact:
On most computers, this is the default configuration and there will be no negative impact. However, if you have installed Web Server (IIS), you will need to allow the IIS application pool(s) to be granted this User Right Assignment.
Default Value:
LOCAL SERVICE, NETWORK SERVICE.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.