Privileges
To ease the task of security administration, it is recommended that you assign privileges primarily to groups rather than to individual user accounts. When you assign privileges to a group, the privileges are assigned automatically to each user who is added to the group. This is easier than assigning privileges to individual user accounts as each account is created.
The privileges that can be assigned are listed and described in Table B-2. The display name for each privilege is followed by the corresponding string constant (in parentheses). Many command-line tools refer to privileges by string constant rather than by display name. The default settings are taken from the Windows XP Professional Local Computer policy.
| Privilege | Description |
|---|---|
| Act as part of the operating system (SeTcbPrivilege) | Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. Default setting: Not assigned. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to log on using the Local System account, which has the privilege inherently. Do not create a separate account and assign the privilege to it. |
| Add workstations to domain (SeMachineAccountPrivilege) | Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Default setting: Not assigned. Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the Add workstations to a domain privilege. |
| Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) | Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Default setting: Administrators, Local Service, and Network Service. |
| Back up files and directories (SeBackupPrivilege) | Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Default setting: Administrators and Backup Operators. See also Restore files and directories in this table. |
| Bypass traverse checking (SeChangeNotifyPrivilege) | Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. Default setting: Administrators, Backup Operators, Power Users, Users, and Everyone. |
| Change the system time (SeSystemTimePrivilege) | Allows the user to adjust the time on the computer s internal clock. This privilege is not required to change the time zone or other display characteristics of the system time. Default setting: Administrators and Power Users. |
| Create a token object (SeCreateTokenPrivilege) | Allows a process to create an access token by calling NtCreateToken () or other token-creating APIs. Default setting: Not assigned. When a process requires this privilege, use the Local System (or System) account, which has the privilege inherently. Do not create a separate user account and assign the privilege to it. |
| Create a pagefile (SeCreatePagefilePrivilege) | Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive in the Performance Options box on the Advanced tab of System Properties. Default setting: Administrators. |
| Debug programs (SeDebugPrivilege) | Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. Default setting: Administrators. |
| Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) | Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Default setting: Not assigned to anyone on member servers and workstations because it has no meaning in those contexts. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources. |
| Force shutdown from a remote system (SeRemoteShutdownPrivilege) | Allows a user to shut down a computer from a remote location on the network. Default setting: Administrators. See also Shut down the system in this table. |
| Generate security audits (SeAuditPrivilege) | Allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access. Default setting: Local Service and Network Service. Local System (or System) has the privilege inherently. See also Manage auditing and security log in this table. |
| Increase scheduling priority (SeIncreaseBasePriorityPrivilege) | Allows a user to increase the base priority class of a process. (Increasing relative priority within a priority class is not a privileged operation.) This privilege is not required by administrative tools supplied with the operating system but might be required by software development tools. Default setting: Administrators. |
| Load and unload device drivers (SeLoadDriverPrivilege) | Allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Default setting: Administrators. Do not assign this privilege to any user or group other than Administrators. Device drivers run as trusted (highly privileged) code. A user who has Load and unload device drivers privilege could unintentionally install malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures. Note: You must have this privilege and also be a member of either Administrators or Power Users in order to install a new driver for a local printer or manage a local printer by setting defaults for options such as duplex printing. The requirement to have both the privilege and membership in Administrators or Power Users is new to Windows XP Professional. |
| Lock pages in memory (SeLockMemoryPrivilege) | Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. Default setting: Not assigned. Local System (or System) has the privilege inherently. |
| Manage auditing and security log (SeSecurityPrivilege) | Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not performed unless you enable it by using Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer. Default setting: Administrators. |
| Modify firmware environment values (SeSystemEnvironmentPrivilege) | Allows modification of system environment variables either by a process through an API or by a user through System Properties. Default setting: Administrators. |
| Perform volume maintenance tasks (SeManageVolumePrivilege) | Allows a non-administrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user s access token when a process running in the user s security context calls SetFileValidData(). Default setting: Administrators. |
| Profile single process (SeProfileSingleProcessPrivilege) | Allows a user to sample the performance of an application process. Default setting: Administrators and Power Users. Ordinarily, you do not need this privilege to use the Performance snap-in. However, you do need the privilege if System Monitor is configured to collect data by using Windows Management Instrumentation (WMI). |
| Profile system performance (SeSystemProfilePrivilege) | Allows a user to sample the performance of system processes. This privilege is required by the Performance snap-in only if it is configured to collect data by using Windows Management Instrumentation (WMI). Default setting: Administrators. Ordinarily, you do not need this privilege to use the Performance snap-in. However, you do need the privilege if System Monitor is configured to collect data by using Windows Management Instrumentation (WMI). |
| Remove computer from docking station (SeUndockPrivilege) | Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. Default setting: Administrators, Power Users, and Users. |
| Replace a process-level token (SeAssignPrimaryTokenPrivilege) | Allows a parent process to replace the access token that is associated with a child process. Default setting: Local Service and Network Service. Local System has the privilege inherently. |
| Restore files and directories (SeRestorePrivilege) | Allows a user to circumvent file and directory permissions when restoring backed up files and directories and to set any valid security principal as the owner of an object. Default setting: Administrators and Backup Operators. See also Back up files and directories in this table. |
| Shut down the system (SeShutdownPrivilege) | Allows a user to shut down the local computer. Default setting: Administrators, Backup Operators, Power Users, and Users. See also Force shutdown from a remote system in this table. |
| Synchronize directory service data (SeSynchAgentPrivilege) | Allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. This privilege is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services. Default setting: Not assigned. The privilege is relevant only on domain controllers. |
| Take ownership of files or other objects (SeTakeOwnershipPrivilege) | Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. Default setting: Administrators. |
EAN: N/A
Pages: 338