76794e3a-d350-45a6-adf9-a4a9708271f9
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.
To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ User Rights Assignment
|_ "Debug programs" to include only the group "Administrators"
STIG: Server
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2022-08-25/finding/V-254500
2019: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93065 / https://www.stigviewer.com/stig/microsoft_windows_server_2019/2022-09-06/finding/V-205757
2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2022-09-06/finding/V-225079 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73755
Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2022-08-31/finding/V-253490
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2022-04-08/finding/V-220967 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220967
NIST 800-53: AC-6(10)
NIST 800-171: 3.1.7
CMMCv2: L2-L3
CAT: I
CCI: CCI-002235
Rule-ID: SV-220967r852028_rule
STIG-ID: WN10-UR-000065
STIG-Legacy: SV-78359, V-63869
Vuln-ID:V-220967