SV-88455.md
---
scapolite:
class: rule
version: '0.51'
id: SV-88455
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Lock pages in memory user right must not be assigned to any groups or accounts.
rule: <see below>
description: <see below>
applicability:
- system: org.scapolite.xccdf.applicability
weight: 10.0
selected: false
role: ''
severity: medium
implementations:
- relative_id: F-80241r1
description: <see below>
automations:
- system: org.scapolite.implementation.win_gpo
ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Lock pages in memory
value: []
verification_status: Checked.
- system: org.scapolite.implementation.win_secedit
setting_name: SeLockMemoryPrivilege
section: Privilege Rights
value: []
checks:
- relative_id: C-73873r1
description: <see below>
- relative_id: '01'
title: OVAL-based check
description: <see below>
automations:
- system: http://oval.mitre.org/XMLSchema/oval-definitions-5
idref: oval:mil.disa.stig.windows:def:1251
href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
- system: http://iase.disa.mil/cci
idref: CCI-002235
relation: ''
- system: http://cce.mitre.org
idref: CCE-47319-9
relation: ''
history:
- version: r1
action: created
description: WN16-UR-000250
internal_comment: ''
---
## /rule
The Lock pages in memory user right must not be assigned to any groups or accounts.
## /description
[**VulnDiscussion**]{.separator type='STIG'}
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a denial of service.
[**Documentable**]{.separator type='STIG'}
false
## /implementations/0/description
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).
## /checks/0/description
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding.
If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
## /checks/1/description
IASE supplies an OVAL check.