Lesson 2:Configuring User Rights

Under the Local Policies node, there are three nodes: Audit Policy, User Rights Assignment, and Security Options. Audit Policy was explained in Chapter 12, "Auditing Resources and Events." In this lesson you learn how use the Group Policy snap-in to assign user rights. Security options are covered in Lesson 3.


After this lesson, you will be able to

  • Configure user rights

Estimated lesson time: 30 minutes


User Rights

You can assign specific rights to groups or individual user accounts. To simplify administration of user rights, Microsoft recommends that you assign user rights only to groups and not individual user accounts. Each user right allows the members of the group or the individual users assigned the right to perform a specific action, such as backing up files or changing the system time. If a user is a member of more than one group, the user rights applied to that user are cumulative, so the user has all the user rights assigned to all the groups of which he or she is a member.

You can configure user rights on a computer running Windows XP Professional by using the Group Policy snap-in as follows:

  1. Click Start and click Run. Type mmc in the Open text box, and click OK to open an empty custom MMC console.
  2. On the File menu, click Add/Remove Snap-In, and then click Add.
  3. In the Add Standalone Snap-In dialog box, click Group Policy and then click Add.

    The Select Group Policy Object dialog box appears, allowing you to point the MMC console containing Group Policy at the local computer or at a remote computer. The Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line check box allows you to configure the MMC so that you can decide which computer to use Group Policy on when you start the MMC.

  4. Click Finish to leave Group Policy with its focus on the Local Computer, the default setting, and save the console with Local Group Policy.
  5. Expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and Local Policies, and then click User Right Assignments.
  6. In the details pane, select the user right you want to configure, and then on the Action menu, click Properties.

    The console displays the current groups and user accounts that have this user right assigned, as shown in Figure 13.4. To add groups or user accounts, click Add. To remove a group or user, select the group or user and click Remove.

Figure 13.4 The Group Policy snap-in displaying User Rights Assignment

There are two types of user rights: privileges and logon rights.

Privileges

A privilege is a user right that allows the members of the group to which it is assigned to perform a specific task, usually one that affects an entire computer system rather than one object. Table 13.3 explains the privileges you can assign in Windows XP Professional.

Table 13.3 Privileges Available in Windows XP Professional

Privilege Description

Act As Part Of The Operating System

Allows a process to authenticate like a user and thus gain access to the same resources as a user.

Do not grant this privilege unless you are certain it is needed. Only low-level authentication services should require this privilege. Processes that require this privilege should use the LocalSystem account because it already has this privilege assigned.

A separate user account with this privilege allows a user or process to build an access token, granting them more rights than they should have, and does not provide a primary identity for tracking events in the audit log.

Add Workstations To Domain

Allows a user to add a computer to a domain. The user specifies the domain being added on the computer, and an object is created in the Computer container of Active Directory in that domain.

For this privilege to be effective, it must be assigned as part of the default domain controller policy for the domain.

Back Up Files And Directories

Allows a user to back up the system without being assigned permissions to access all files and folders on the system.

By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group have this privilege.

Bypass Traverse Checking

Allows a user to move through folders that he or she has no permission to access. This privilege does not allow the user to view the contents of a folder, just to move through the folder.

By default, members of the Administrators, Backup Operators, Power Users, Users, and Everyone groups have this privilege on workstations and member servers.

Change The System Time

Allows a user to set the time for the internal clock of the computer.

By default, members of the Administrators and Power Users groups, as well as the LocalSystem and NetworkService accounts, have this privilege on workstations and member servers.

By default, members of the Administrators and Server Operators groups, as well as the LocalSystem and NetworkService accounts, have this privilege on domain controllers.

Create A Token Object

Allows a process to create a token that it can then use to access any local resource when the process uses a token-creating application programming interface (API).

Microsoft recommends that processes requiring this privilege use the LocalSystem account because it already has this privilege.

Create Permanent Shared Objects

Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that plan to extend the Windows object namespace. Components that run in kernel mode already have this privilege, so it is not necessary for you to assign it to them.

Create A Pagefile

Allows a user to create a pagefile and modify the size of existing pagefiles. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Debug Programs

Allows a user to attach a debugger on any process. This privilege provides powerful access to sensitive and critical system operating components.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Enable Computer And User Accounts To Be Trusted For

Allows the user to set the Trusted For Delegation setting on a user or computer object. A server process running on a computer that is trusted for delegation or run by a user who is trusted fordelegation can access resources on another computer.

Do not assign this privilege unless you understand that this privilege and the Trusted For Delegation setting can open your network to attacks from Trojan horse programs that impersonate incoming clients and use their credentials to access network resources.

This privilege is not assigned to anyone on workstations or member servers. On domain controllers it is assigned by default to the members of the Administrators group.

Force Shutdown From A Remote System

Allows a user to shut down a computer from a remote computer on the network.

By default, members of the Administrators group have this privilege on workstations and member servers. By default, members of the Administrators and Server Operators groups have this privilege on domain controllers.

Generate Security Audits

Allows a process to make entries in the security log for object access auditing.

Adjust Memory Quotas For A Process

Allows a process to increase the processor quota assigned to another process. The process must have write access to the process for which it increases the processor quota.

Increase Scheduling Priority

Allows a process to increase the execution priority of another process. The process must have write access to the process for which it increases the execution priority.

Allows users to change the scheduling priority of a process through Task Manager.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Load And Unload Device Drivers

Allows a user to install and uninstall Plug and Play device drivers. Non-Plug and Play device drivers are not affected by this privilege.

By default, only Administrators have this privilege. Exercise caution in granting this privilege. Device drivers run as trusted programs and only device drivers with correct digital signatures should be installed.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Lock Pages In Memory

Allows a process to lock data in physical memory and prevent Windows XP Professional from paging the data to virtual memory (a pagefile) on disk.

This privilege is not assigned to anyone by default. Some system processes have this privilege.

Manage Auditing And Security Log

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys.

A user with this privilege can also view and clear the security log from the Event Viewer.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Modify Firmware Environment Values

Allows a user to use the System Properties program to modify system environment variables.

Allows a process to use an API to modify the system environment variables.

Perform Volume Maintenance Tasks

Allows users to run disk tools, such as Disk Cleanup or Disk Defragmenter.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Profile A Single Process

Allows a user to use performance-monitoring tools to monitor the performance of nonsystem processes.

By default, on workstations and member servers, Administrators and Power Users have this privilege. On domain controllers, only Administrators have this privilege.

Profile System Performance

Allows a user to use performance-monitoring tools to monitor the performance of system processes.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Remove Computer From Docking Station

Allows a user to undock a portable computer.

By default, members of the Administrators, Power Users, and Users groups have this privilege on workstations and member servers.

Replace A Process- Level Token

Allows a parent process to replace the access token associated with a child process.

Restore Files And Directories

Allows a user to restore backed up files and directories without being assigned the appropriate file and folder permissions, and allows a user to set any valid security principal as the owner of the object.

By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group also have this privilege.

Shut Down The System

Allows a user to shut down the local computer.

By default, members of the Administrators, Backup Operators, Power Users, and Users groups have this privilege on workstations.

By default, members of the Administrators, Backup Operators, and Power Users groups have this privilege on member servers.

By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups have this privilege on domain controllers.

Synchronize Directory Service Data

Allows a process to provide directory service synchronization services. This privilege is relevant only on domain controllers.

Take Ownership Of Files Or Other Objects

Allows a user to take ownership of objects in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Logon Rights

A logon right is a user right assigned to a group or an individual user account. Logon rights control the way users can log on to a system. Table 13.4 explains the logon rights you can assign in Windows XP Professional.

Table 13.4 Logon Rights Available in Windows XP Professional

Logon right Description

Access This Computer From The Network

Allows a user to connect to the computer over the network.

By default, members of the Administrators, Power Users, and Everyone groups are granted this logon right on workstations, member servers, and domain controllers.

Deny Access To This Computer From The Network

Prevents a user from connecting to the computer over the network.

By default, this right is not granted to anyone.

Log On As A Batch Job

Allows a user to log on using a batch-queue facility.

By default, members of the Administrators group are granted this logon right on workstations, member servers, and domain controllers.

If Internet Information Services (IIS) is installed, the right is automatically assigned to the built-in account for anonymous access to IIS.

Deny Logon As A Batch Job

Prevents a user from logging on using a batch-queue facility.

By default, this right is not granted to anyone.

Log On As A Service

Allows a security principal (an account holder such as a user, computer, or service) to log on as a service. Services can be configured to run under the LocalSystem, LocalService, or NetworkService accounts, which have the right to log on as a service. Any service that runs under a separate account must be granted this right.

By default, this right is not granted to anyone.

Deny Logon As A Service

Prevents a security principal from logging on as a service.

By default, this right is not granted to anyone.

Log On Locally

Allows a user to log on at the computer's keyboard.

By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups are granted this logon right.

Deny Logon Locally

Prevents a user from logging on at the computer's keyboard.

By default, this right is not granted to anyone.

Allow Logon Through Terminal Services

Allows a user to log on using Terminal Services.

By default, members of the Administrators and Remote Desktop Users groups are granted this logon right on workstations and member servers. On domain controllers, only Administrators are granted this logon right.

Deny Logon Through Terminal Services

Prevents a user from logging on using Terminal Services.

By default, this right is not granted to anyone.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. Which of the following statements about user rights are correct? (Choose all that apply.)
    1. Microsoft recommends that you assign user rights to individual user accounts.
    2. Microsoft recommends that you assign user rights to groups rather than individual user accounts.
    3. User rights allow users assigned the right to perform a specific action, such as backing up files and directories.
    4. There are two types of user rights: privileges and logon rights.
  2. If your computer running Windows XP Professional is part of a Windows 2000 domain environment and you configure the Local Security Policies on your computer so that you assign yourself the Add Workstation To A Domain user right, can you add additional workstations to the domain? Why or why not?
  3. What benefit does the Back Up Files And Directories user right provide?
  4. What are logon rights and what do they do?

Lesson Summary

  • User Rights Assignment is one of the three nodes located under the Local Policies node and it can be configured using the Group Policy snap-in.
  • A privilege is a user right that allows users to perform a specific task, usually one that affects an entire computer system rather than one object.
  • Bypass Traverse Tracking is a privilege that allows users to move through folders that they have no permission to access.
  • Logon rights are user rights assigned to a group or an individual user account to control the way users can log on to a system.
  • Logon rights control whether or not a user can connect to a computer over the network or sitting at the computer's keyboard.


MCSE Training Kit(c) Microsoft Windows XP Professional (Exam 70-270 2001)
MCSE Training Kit(c) Microsoft Windows XP Professional (Exam 70-270 2001)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net