User rights
This excerpt from Chapter 5 of "The definitive guide to Windows 2000 security" explains how logon rights and permissions work.
Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
User rights
If you've dealt with NT at all, you're already familiar with the concepts of user rights and extended rights. Windows 2000 redefines both of these terms and calls them logon rights and privileges, respectively. Overall, the rights in Windows 2000 are the same; they just have different names. Windows 2000 also offers a few more user rights than was previously available.
While permissions are designed to affect one or more objects, a user right is an authorization that lets a security principal perform an operation across an entire computer. As I just mentioned, user rights and extended rights in Windows 2000 come in two distinct flavors: logon rights and privileges. Logon rights allow you to control the authorizations that govern how your users and other security principals access a computer. Privileges allow you to control the authorizations that govern how users are allowed to manipulate system resources. The logon rights and privileges available in Windows 2000 are listed in Table 5.3.
| User right | Type | Description |
| Access this computer from the network | Logon right | Determines which accounts can connect to the computer over the network. |
| Act as part of the OS | Privilege | Allows a process to authenticate as any user. |
| Add workstations to the domain | Privilege | Determines which accounts can add computers to the domain. |
| Back up files and directories | Privilege | Determines which accounts can back up folders and files. |
| Bypass traverse checking | Privilege | Determines which accounts can bypass folder traverse checking. |
| Change the system time | Privilege | Determines which accounts can change the computer's time. |
| Create a pagefile | Privilege | Determines which accounts can create or modify the pagefile settings of a computer. |
| Create a token object | Privilege | Determines which accounts can create a token object that can be used to gain access to any local resource or object. |
| Create permanent shared objects | Privilege | Determines which accounts can create a folder in the kernel's object manager. |
| Debug programs | Privilege | Determines which accounts can attach a debugger to any process. |
| Deny access to this computer from the network | Logon right | Determines which accounts cannot connect to the computer over the network. |
| Deny logon as batch job | Logon right | Determines which accounts cannot log on to the computer as a batch job. |
| Deny logon as service | Privilege | Determines which accounts cannot log on to the computer as a service account. |
| Deny logon locally | Logon right | Determines which accounts cannot log on to the computer from the console. |
| Enable computer and user accounts to be trusted for delegation | Privilege | Determines which accounts can set the Trusted for Delegation setting on user and computer accounts. |
| Force shutdown from a remote system | Privilege | Determines which accounts can shut down a computer from a remote location on the network. |
| Generate security audits | Privilege | Determines which accounts can add entries to the security log. |
| Increase quotas | Privilege | Determines which accounts can increase the operating quotas of a process. |
| Increase scheduling priority | Privilege | Determines which accounts can increase the scheduling priority of a thread. |
| Load and unload device drivers | Privilege | Determines which accounts can load and unload system device drivers. |
| Lock pages in memory | Privilege | Is obsolete and shouldn't be used. |
| Log on as a batch job | Logon right | Determines which accounts can log on to the computer as a batch job. |
| Log on as a service | Logon right | Determines which accounts can log on to the computer as a service account. |
| Log on locally | Logon right | Determines which accounts can log on to the computer from the console. |
| Manage auditing and security log | Privilege | Determines which accounts can configure object access auditing for resources and objects. |
| Modify firmware environment variables | Privilege | Determines which accounts can modify system-wide environment variables.< |
| Profile single process | Privilege | Determines which accounts can profile the execution of a single process. |
| Remove computer from docking station | Privilege | Determines which accounts can remove a laptop from a docking station. |
| Replace a process-level token | Privilege | Determines which accounts can replace the token of a sub-process. |
| Restore files and directories | Privilege | Determines which accounts can restore folders and files. |
| Shut down the system | Privilege | Determines which accounts can shut down the computer. |
| Synchronize directory service data | Privilege | Isn't implemented and shouldn't be used. |
| Take ownership of files or other objects | Privilege | Determines which accounts can take ownership of files or other objects without regard to object permissions. |
Table 5.3: Logon rights and privileges in Windows 2000.
|
Click for the next excerpt in this series: Permissions vs. privileges
Click for the book excerpt series or get the full e-book.
Start the conversation
0 comments