Content - 968f100a12b22f6bb392cade9f4b28a74cd55cc0 - 4dca8ab/scapolite/V-73803/SV-88467.md

SV-88467.md
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88467
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Take ownership of files or other objects user right must only be assigned
    to the Administrators group.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-80253r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
            Policies\User Rights Assignment\Take ownership of files and other objects
        value:
          - Administrators
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: SeTakeOwnershipPrivilege
        section: Privilege Rights
        value:
          - '*S-1-5-32-544'
checks:
  - relative_id: C-73885r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1257
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-002235
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-46216-8
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-UR-000310
    internal_comment: ''
---


## /rule

The Take ownership of files or other objects user right must only be assigned to the Administrators group.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups:

- Administrators

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding.

- Administrators

If an application requires this user right, this would not be a finding.

Vendor documentation must support the requirement for having the user right.

The requirement must be documented with the ISSO.

The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).

## /checks/1/description

IASE supplies an OVAL check.