Winlogon Key has incorrect permissions

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: winlogon permissions

Platforms: Windows NT
Description:

The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key has two values that can be used to run a process during startup, or when a user logs on.

The programs pointed to by the System value run under the system user context after startup, and could be used to change a user's rights or access level.

The UserInit value runs applications when a user logs in.

The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator.

Remedy:

Remove Server Operator write access to the winlogon key.

To remove association, follow these steps:

  1. From the Windows NT Start menu, select Run.
  2. Type regedt32 and click OK to open the Registry Editor.
  3. Navigate to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  4. From the Security menu, select Permissions.
  5. Remove Server Operator write access.
References:

X-Force Logo
Know Your Risks