Check or Attack Name: Replace Process Token Privilege

A user has been detected with Replace a Process Level Token privileges. This right is not normally granted to any users, and can be used to attain administrative rights.

Verify Advanced user rights in User Manager.

To audit and revoke this privilege, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
3. Select Show Advanced User Rights check box.
4. From the Right list, select Replace a process level token.
5. Verify that this right is set in accordance with your security policy.
6. To remove a user, select the user and click Remove.

Microsoft Knowledge Base Article Q101366, Definition and List of Windows NT Advanced User Rights, http://support.microsoft.com/support/kb/articles/q101/3/66.asp

Microsoft Knowledge Base Article Q186374, Enable Auditing of Microsoft Windows NT Server Password Registry, http://support.microsoft.com/support/kb/articles/q186/3/74.asp

Microsoft Knowledge Base Article Q131144, HOWTO: Assign Privileges to Accounts for API Calls, http://support.microsoft.com/support/kb/articles/q131/1/44.asp