This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. For member servers, ensure that only the Local Service and Network Service accounts have the Replace a process level token user right. On most computers, restricting the Replace a process level token user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact.
However, if you have installed optional components such as ASP. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Reference This policy setting determines which parent processes can replace the access token that is associated with a child process. On most computers, restricting the Replace a process level token user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact.
However, if you have installed optional components such as ASP. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Reference This policy setting determines which parent processes can replace the access token that is associated with a child process. Policy management This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective. Group Policy Settings are applied in the following order through a Group Policy Object GPO , which will overwrite settings on the local computer at the next Group Policy update: Local policy settings Site policy settings Domain policy settings OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting.
Emphasis above is mine. So my question is: if someone knows the credentials for a given user, they can always run a process as them either using runas. What's the purpose of the "Replace a process level token" user right, and what's the security impact of it? Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. What's "Replace a process level token" for anyway?
Ask Question. Asked 1 year, 3 months ago. Active 1 year, 3 months ago. Viewed times. Improve this question. Aayla Secura Aayla Secura 3 3 silver badges 12 12 bronze badges. You're exactly correct. You may wish to read about the wheel group and sudoers on Linux, where it is definitely not true that "as long as they know the credentials no special permissions are needed" — Ben Voigt. BenVoigt ah, yes, on Linux, it's true that they need to be in the wheel group by default to use su and there needs to be a sudoers rule for them to use sudo.
0コメント