Security Center Remediate security configurations-Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

jagadish karem 1 Reputation point
2021-06-24T11:17:46.59+00:00

Can some help me remediate this security center "Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'"
I have web server (IIS) installed in my VM , The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE, but I got 'IIS apppool/DefaultAppPool' along with the recommended.

A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right108969-secvulnon.png

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,186 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-06-28T02:36:48.243+00:00

    @jagadish karem Thanks for reaching out.

    On most computers, restricting the Replace a process level token user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact.

    However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Replace a process level token user right to additional accounts.
    IIS requires that the Service, Network Service, and IWAM_<ComputerName> accounts be explicitly granted this user right.

    Under security center if you do not want to see that recommendation, then you can suppress this alert by using a suppression rule.
    You can use this link to create suppression rule for this server recommendation : https://learn.microsoft.com/en-us/azure/security-center/alerts-suppression-rules

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.