Skip to main content

Browse the archive

Raw File
SV-88461.md 
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88461
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Perform volume maintenance tasks user right must only be assigned to the
    Administrators group.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-80247r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
            Policies\User Rights Assignment\Perform volume maintenance tasks
        value:
          - Administrators
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: SeManageVolumePrivilege
        section: Privilege Rights
        value:
          - '*S-1-5-32-544'
checks:
  - relative_id: C-73879r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1254
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-002235
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-46126-9
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-UR-000280
    internal_comment: ''
---


## /rule

The Perform volume maintenance tasks user right must only be assigned to the Administrators group.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups:

- Administrators

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding.

- Administrators

## /checks/1/description

IASE supplies an OVAL check.
back to top