Privileges

[Previous] [Next]

Privileges, which, along with the logon rights mentioned in "Authenticated Logon" make up a general category called rights, relate to the authorization to perform an operation that affects an entire computer rather than specific objects only. (Access to specific objects is controlled by permissions.) Privileges are defined in a computer's security policy.

To view user privileges, log on using an account that has administrative authority and then open the Local Security Policy tool, which lets you view and edit security policies. Figure 3-1 shows this tool and the user rights assignment, or the granting of privileges, for the local computer.

click to view at full size.

Figure 3-1. User rights assignment in the Local Security Policy tool.

NOTE
You can grant and revoke user rights from the command line by using the NTRights.exe tool in the Microsoft Windows 2000 Server Resource Kit.

There are a number of user rights in Windows 2000 that are not available in Windows NT 4, including

  • Deny access to this computer from the network
  • Deny logon as a batch job
  • Deny logon as a service
  • Deny logon locally

These are the opposite of the normal logon rights discussed in "Authenticated Logon" and override those logon rights. If a user has both the Logon Locally right and the Deny Logon Locally right, he or she will not be able to log on locally. The main purpose of these privileges is to support the "allow everyone but x " type of scenario. If you wanted to support this scenario in Windows NT, you'd have to create a new group, add valid users and groups to the new group, and then apply the privileges to the group. This kind of situation is easier to implement with the new scheme of deny privileges in Windows 2000.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net