Security
Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are attached to objects (such as printers or folders). For information about permissions, see How Inheritance Affects Permissions later in this chapter.
User rights can be applied to individual users or to user groups. It is simplest to apply rights to user groups because all users who belong to the group will inherit the rights you grant to the group. It is also possible to apply rights to each user, but this requires more administration because you will have to set rights for each user.
User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the users rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group.
To Assign User Rights to Groups
Open the Group Policy snap-in to MMC.
Double-click the User right you want to assign to a group. Many user rights are in User Rights Assignment .
Click Add , and then enter the group or groups to which you want to grant this permission. Click Check Names to confirm that group names are recognized.
There are two types of user rights:
Privileges : A right which is assigned to a user and specifies allowable actions on the network. An example of a privilege is the right to back up files and directories.
Logon rights : A right which is assigned to a user and specifies the ways in which a user can log on to a system. An example of a logon right is the right to log on to a system locally.
Privileges
Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.
Table 13.4 shows the privileges that can be assigned to a user by setting user rights. These privileges can be managed with the User Rights policy.
Table 13.4 Privileges That Can Be Assigned to a User
Privilege |
Description |
|---|---|
Act as part of the operating system |
This privilege allows a process to authenticate as any user, and therefore gain access to resources under any user identity. Only low-level authentication services should require this privilege. |
Add workstations to a domain |
Allows the user to add a computer to a specific domain. The user specifies the domain on the computer being added, creating an object in the Computer container of Active Directory. |
Back up files and directories |
Allows the user to circumvent file and directory permissions to back up the system. Specifically, the privilege is similar to granting the following permissions on all files and folders on the local computer: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, and Read Permissions. For more information, see Customizing the Desktop in this book. |
Bypass traverse checking |
Allows the user to pass through directories to which the user otherwise has no access, while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
Change the system time |
Allows the user to set the time for the internal clock of the computer. |
Create a token object |
Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. |
Create permanent shared objects |
Allows a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that plan to extend the Windows 2000 object name space. Because components running in kernel mode already have this privilege assigned to them, it is not necessary to specifically assign this privilege. |
Create a pagefile |
Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a given drive in the Performance Options dialog box, which is accessible through the System Properties dialog box. |
Debug programs |
Allows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical system operating components. |
Enable Trusted for Delegation on user and computer accounts |
Allows the user to set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process either running on a computer that is trusted for delegation or run by a user who is trusted for delegation can access resources on another computer. This uses a clients delegated credentials, as long as the client account does not have the Account Cannot Be Delegated account control flag set. Misuse of this privilege or of the Trusted for Delegation settings might make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. |
Force shutdown of a remote system |
Allows a user to shut down a computer from a remote location on the network. |
Generate security audits |
Allows a process to make entries in the security log for object access auditing. The process can also generate other security audits. The security log is used to trace unauthorized system access. |
Increase quotas |
Allows a process with write property access to another process to increase the processor quota assigned to that other process. This privilege is useful for system tuning, but can be abused, as in a denial-of-service attack. |
Increase scheduling priority |
Allows a process with write property access to another process to increase the execution priority of that other process. A user with this privilege can change the scheduling priority of a process through Task Manager . |
Load and unload device drivers |
Allows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can only be installed by administrators. Because device drivers run as trusted (highly-privileged) programs, this privilege might be misused to install hostile programs and give these programs destructive access to resources. |
Lock pages in memory |
Allows a process to keep data in physical memory, preventing the system from paging the data to virtual memory on disk. Exercising this privilege might significantly affect system performance. This privilege is obsolete and is therefore never checked. |
Manage auditing and security log |
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in the computerwide audit policy settings under Security Policy or under Security Policy defined in Active Directory. This privilege does not grant access to the computer-wide audit policy. |
Modify firmware environment values |
Allows modification of the system environment variables, either by a user through the System Properties or by a process. |
Profile a single process |
Allows a user to use Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of non-system processes. |
Profile system performance |
Allows a user to use Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes. |
Remove a computer from docking station |
Allows a user to undock a portable computer with the Windows 2000 user interface. |
Replace a process-level token |
Allows a process to replace the default token associated with a sub-process that has been started. |
Restore files and directories |
Allows a user to circumvent file and directory permissions when restoring backed up files and directories, and to set any valid security principal as the owner of an object. See also the Back up files and directories privilege. |
Shut down the system |
Allows a user to shut down the local computer. |
Take ownership of files or other objects |
Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
For more information, see Security Policy later in this chapter.
Logon Rights
Logon rights can be assigned to a user and managed with the User Rights policy. Logon rights are assigned to users and specify the ways in which a user can log on to a system.
Table 13.5 lists and describes Windows 2000 logon rights.
Table 13.5 Windows 2000 Professional Default Logon Rights
Logon Right |
Description |
|---|---|
Access this computer from a network |
Allows a user to connect to the computer over the network. By default, this privilege is granted to Administrators, Everyone, and Power Users. |
Deny access to this computer |
Denies a user the ability to connect to the computer over the network. By default, this privilege is not granted to anyone from the network. |
Log on as a batch job |
Allows a user to log on using a batch-queue facility. By default, this privilege is granted to Administrators. |
Deny log on as a batch job |
Denies a user the ability to log on using a batch-queue facility. By default, this privilege is granted to no one. |
Log on as a service |
Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone. |
Deny logon as a service |
Denies a security principal the ability to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone. |
Log on locally |
Allows a user to log on at the computers keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators. |
Deny log on locally |
Denies a user the ability to log on at the computers keyboard. By default, this right is granted no one. |