Content - ff2225c7b075b48dc885e0b63fecc184b01ae882 - 4dca8ab/scapolite/V-73791/SV-88455.md

SV-88455.md
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88455
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Lock pages in memory user right must not be assigned to any groups or accounts.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-80241r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
            Policies\User Rights Assignment\Lock pages in memory
        value: []
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: SeLockMemoryPrivilege
        section: Privilege Rights
        value: []
checks:
  - relative_id: C-73873r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1251
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-002235
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-47319-9
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-UR-000250
    internal_comment: ''
---


## /rule

The Lock pages in memory user right must not be assigned to any groups or accounts.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a denial of service.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding.

If an application requires this user right, this would not be a finding.

Vendor documentation must support the requirement for having the user right.

The requirement must be documented with the ISSO.

The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).

## /checks/1/description

IASE supplies an OVAL check.