User Rights Assignment We have looked at how to control access to objects such as files, folders, and printers in Windows Server 2003 through the use of permissions. The network administrator can also control the tasks that users can perform by assigning user rights. Although permissions are used to control objects, user rights control users and groups. User rights give or deny users or groups the ability to perform specific tasks on local computers that may have an effect on security. These rights cover everything from the ability to perform system backups to who is able to shut down the system. When the network administrator is setting up security policies for a network, this is where the most time will be spent. Generally, most rights will be preassigned to either the Administrators or the Power Users local groups. However, there will be occasions when the network administrator will need to reassign rights for better security or just to allow the user to perform certain tasks. Although you can assign these rights to an individual user account, to simplify manageability and accountability it is best to assign them at the group level. There are a large number of rights available. Some of the commonly used ones are Access This Computer from the Network By default this right is granted to most local groups, including the Everyone group. This right gives users the ability to access shared resources such as folders, printers, and web services from the network. For greater control, remove this right from the Everyone user group, create a new group, and add this right to it. You can then specifically add the users that you want to access the computer. Act as Part of the Operating System This is not a right that will normally be given to a user. The common use for it is to grant it to the user ID that is assigned to control a service. This is typically used with server-based programs such as mail or database servers. Most installation programs will configure this right for you; however, during disaster recovery, it will sometimes be necessary to assign it manually. Add Workstations to the Domain As covered in Chapter 2, "Managing User and Computer Accounts," Windows NT and Windows 2000 computers must have accounts in the domain. This account can be created during the installation of the computer or manually at any other time. Without this account being present, the computer cannot join the domain. This right is valid only on domain controllers, and by default, only the Domain Admins group will have it. If a group that doesn't have administrator rights is in charge of installing computers on the network, you can either add the computer accounts before they install the computers, or you can assign them to an Install Users group and grant that group this right. Note: Backup Rights You can either add the users responsible for backups to the Backup Operators group or create a new group and assign this right to it. This right will also be granted to the service account for your backup program.
Backup/Restore Files and Directories This right is by default assigned to only the Administrators and the Backup Operators groups. Improper granting of this right can create a security exposure by allowing unauthorized users the access to copy confidential files from your computers. Although a user may not have been explicitly granted access to confidential files and folders, the right to perform a backup takes precedence. Bypass Traverse Checking This is by default granted to the Everyone group. This allows users to get to a folder that is part of a tree that is restricted. An example is if the root folder is restricted, and users need to get to folders under it. This option should always be left on. This option is present only for POSIX compatibility. Change System Time The default is for only Administrators to have this right. In previous versions of Windows NT, users were generally granted this right so that the time could be synchronized via login script using the NET TIME command. In Windows 2000, the time of Windows 2000 Server and Professional clients is automatically synchronized. Create a Pagefile By default, this right is assigned only to the Administrators group. Normally, this will not need to be changed unless you configure the security option to automatically delete the paging file at logoff time. Force Shutdown from a Remote System The default is for this right to be granted to only Administrators and Backup Operators. This right allows utilities such as Shutdown.exe to be used to reboot computers remotely. Increase Scheduling Priority This is normally granted to Administrators only. This right allows the user to change the scheduling priority of individual processes using the Task Manager utility. Load and Unload Device Drivers By default, this right is granted only to the Administrators group. This will have to be available if your users need to load printer drivers. Log On as a Batch Job This allows a .bat or .cmd file to access the system in the background. Log On as a Service This right is typically granted to the service accounts for server applications that run background threads, such as mail and database servers. (See the bullet item "Act as Part of the Operating System.") Log on Locally This right is normally assigned to every default group except for Users and Power Users. The main use for it is to keep unauthorized users from logging on to the server console. The exception to this will be on a server that is running Terminal Services. Because Terminal Services users will be, logically speaking, logging on to a virtual server console, any Terminal Services users will need to be granted this right. Manage Auditing and Security Log This right grants the permission to manage and configure the Security log. The default is for only Administrators to have this right. Profile System Performance This right is necessary to allow users to monitor system performance using tools such as Performance Monitor. Shut Down the System For servers, only Administrators and Backup Operators will have this right. If the server is running Terminal Services in Application Mode, Power Users will have it, too. Take Ownership of Files and Other Objects This right grants the permission to take the ownership of objects away from an owner. By default, only Administrators are granted this right.
As we mentioned previously, just a few of the user rights can be configured. For a complete listing, consult the online help in Windows Server 2003. To assign user rights via a Local Security policy, follow the procedure in Step by Step 16.12. Step by Step 16.12 Assigning user rights via the Local Security Policy 1. | Select Start, All Programs, Administrative Tools, Local Security Policy.
| | | 2. | From the Local Security Policy snap-in, shown in Figure 16.23, click User Rights Assignment. In the right pane, all the available User Rights are displayed.
Figure 16.23. The Local Security Settings MMC, showing the default settings for a member server. 
| 3. | To change a User Right, right-click the listing, and then select Security from the pop-up menu.
| 4. | The Local Security Policy Setting window appears. This window shows a more detailed view of the users and groups that have been assigned this User Right. From this window, you can deselect those users that you no longer want to have this right. This will affect only the local policy. If there is a domain policy, the domain policy will always override the local policy. Click the Add button.
| 5. | The Select Users or Groups window appears. From this window, you can add additional users to be granted this right. They can be added from the local accounts database or from the Active Directory database.
| 6. | Click OK twice when finished.
|
|
In Figure 16.23, look at the top entry in the right pane. Notice that it has a domain icon. This tells you that the setting for this entry was set at the domain level, and because of the SDOU rule, it overrides any setting at the local level. |
