Winlogon Key has incorrect permissions

nt-winlogon-perm (187) The risk level is classified as MediumMedium Risk

Description:

The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key has two values that can be used to run a process during startup, or when a user logs on.

The programs pointed to by the System value run under the system user context after startup, and could be used to change a user's rights or access level.

The UserInit value runs applications when a user logs in.

The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator.

Platforms Affected:

  • Microsoft, Windows 2000
  • Microsoft, Windows 2003 Server
  • Microsoft, Windows NT 4.0
  • Microsoft, Windows XP

Remedy:

Remove Server Operator write access to the winlogon key.

To remove association:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. From the Windows NT Start menu, select Run.
  2. Type regedt32 and click OK to open the Registry Editor.
  3. Navigate to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  4. From the Security menu, select Permissions.
  5. Remove Server Operator write access.

Consequences:

Gain Access

References:

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page