This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The Perform volume maintenance tasks user right must only be assigned to the Administrators group.

STIG ID: WN16-UR-000280  |  SRG: SRG-OS-000324-GPOS-00125 |  Severity: medium (CAT II)  |  CCI: CCI-002235 |  Vulnerability Id: V-225088

Vulnerability Discussion

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.

Check

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If an application requires this user right, this is not a finding.

Vendor documentation must support the requirement for having the user right.

The requirement must be documented with the ISSO.

- Administrators

For server core installations, run the following command:

Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt

Review the text file.

If any SIDs other than the following are granted the "SeManageVolumePrivilege" user right, this is a finding.

S-1-5-32-544 (Administrators)

Fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Perform volume maintenance tasks to include only the following accounts or groups:

- Administrators
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.