In case this is a response from the MSRC, try contact them again to verify if this is really not a security issue and then you may create a proof of concept of how to reproduce it and use the Feedback Hub app in Windows and report this issue.
Bypassing group policy for "logon as service"
Hi,
I found that it's possible to bypass group policy-enforced setting "allow log on as service" by specifying the logon for a service in Services applet, and submitted to Microsoft security response team the following steps (ticket VULN-060371) :
- Have domain group policy with specified setting "log on as service" that specifies who can log on as service
- Have this policy applying to this Windows 10 machine
- open Services, and for a service that is currently running as local system account, change logon to user X (who is not one of those allowed in GP), and specify the password
- observe message "User X has been granted "logon as service" privilege"
- open Local Security Policy, navigate to Local Policies / user rights assignment / logon as service - verify that user X is indeed in the list - contrary to GP
- However, you can't even remove him now from the list; the buttons are disabled because this is controlled by group policy.
I then received the following response:
Thank you for contacting the Microsoft Security Response Center (MSRC). What you're reporting appears to be a bug/product suggestion for Edge, but would not meet the bar for security servicing. Please submit this through the "Feedback" option within the browser via "Help & Feedback" section.
I.e. it looks like this was understood as a problem with Edge browser? It certainly has nothing to do with Edge.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
2 answers
Sort by: Most helpful
-
Reza-Ameri 17,341 Reputation points Volunteer Moderator
2022-01-09T15:47:44.467+00:00 -
Limitless Technology 39,926 Reputation points
2022-01-11T09:41:04.357+00:00 Hi there,
If this is a security bug and If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, you must submit the report to MSRC at https://msrc.microsoft.com/create-report.
If the vulnerability you are reporting is from a penetration test, work through your Microsoft Customer Support Services team who can help interpret the report and suggest remediation's.
Report an issue and submission guidelines
https://www.microsoft.com/en-us/msrc/faqs-report-an-issue
--If the reply is helpful, please Upvote and Accept it as an answer--