Check or Attack Name: Lock Memory Privilege

A user has been detected with Lock Pages in Memory privileges. The 'Lock pages in memory' user right allows a user to lock pages in memory so they cannot be paged out to a backing store such as PAGEFILE.SYS. If users have the capability to lock pages in memory, there is a risk that system performance may be adversely affected. This privilege is normally granted to subsystems, not to groups or to users.

Verify Advanced user rights in User Manager.

To audit and revoke this privilege, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select User Rights to display the User Rights dialog box.
3. Select the Show Advanced User Rights check box.
4. From the Right list, select Lock pages in memory.
5. Verify this right is set in accordance with your security policy.
6. To remove a user, select the user and click Remove.

Microsoft Knowledge Base Article Q126767, Improve System Performance by Using Proper Working Set Size, http://support.microsoft.com/support/kb/articles/q126/7/67.asp

Microsoft Knowledge Base Article Q101366, Definition and List of Windows NT Advanced User Rights, http://support.microsoft.com/support/kb/articles/q101/3/66.asp