Winlogon Key has incorrect permissions |
---|
Risk Level: | Medium | Check or Attack Name: winlogon permissions |
---|---|---|
Platforms: | Windows NT | |
Description: | The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key has two values that can be used to run a process during startup, or when a user logs on. The programs pointed to by the System value run under the system user context after startup, and could be used to change a user's rights or access level. The UserInit value runs applications when a user logs in. The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator. |
|
Remedy: | Remove Server Operator write access to the winlogon key. To remove association, follow these steps:
|
|
References: |
Know Your Risks |