SV-88461.md
---
scapolite:
class: rule
version: '0.51'
id: SV-88461
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Perform volume maintenance tasks user right must only be assigned to the
Administrators group.
rule: <see below>
description: <see below>
applicability:
- system: org.scapolite.xccdf.applicability
weight: 10.0
selected: false
role: ''
severity: medium
implementations:
- relative_id: F-80247r1
description: <see below>
automations:
- system: org.scapolite.implementation.win_gpo
ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Perform volume maintenance tasks
value:
- Administrators
verification_status: Checked.
- system: org.scapolite.implementation.win_secedit
setting_name: SeManageVolumePrivilege
section: Privilege Rights
value:
- '*S-1-5-32-544'
checks:
- relative_id: C-73879r1
description: <see below>
- relative_id: '01'
title: OVAL-based check
description: <see below>
automations:
- system: http://oval.mitre.org/XMLSchema/oval-definitions-5
idref: oval:mil.disa.stig.windows:def:1254
href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
- system: http://iase.disa.mil/cci
idref: CCI-002235
relation: ''
- system: http://cce.mitre.org
idref: CCE-46126-9
relation: ''
history:
- version: r1
action: created
description: WN16-UR-000280
internal_comment: ''
---
## /rule
The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
## /description
[**VulnDiscussion**]{.separator type='STIG'}
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.
[**Documentable**]{.separator type='STIG'}
false
## /implementations/0/description
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups:
- Administrators
## /checks/0/description
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding.
- Administrators
## /checks/1/description
IASE supplies an OVAL check.