The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

Windows Server 2008 User Right Assignments - Defined

If you haven’t noticed yet, Windows Server 2008 has several more User Right Assignments in the Local Policy settings.  If you’re looking for a definition of one or all take a look below.  These are the same settings that are found in Group Policy located at this path – Computer Configuration\Windows Settings\Local Policies\User Right Assignment.

 

Access Credential Manager as a trusted caller

This policy setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.

By default, no accounts are assigned this right. However, to enforce the default setting, the Access Credential Manager as a trusted caller setting is restricted to No One for the SSLF environment discussed in the security guide.

Act as part of the operating system

This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide.

Add workstations to domain

This policy setting only takes effect when applied to domain controllers.

Adjust memory quotas for a process

This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, this setting could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service groups for the SSLF environment. The setting is configured to Not Defined for the EC environment.

Allow log on locally

This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the computer keyboard require this user right.

Microsoft recommends that you enable this setting through Group Policy and restrict this right to members of the Administrators group. Assign this user right to the other Operator level administrative security groups, such as Backup Operators or Server Operators, if your organization requires that they have this capability.

Allow log on through Terminal Services

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. Microsoft recommends that you restrict this user right to the Administrators group to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. Dedicated Terminal Servers will require additional configuration.

Back up files and directories

This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

Bypass traverse checking

This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

Change the system time

This policy setting determines which users and groups can change the time and date of the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, which may not be the actual time that the events occurred.

Change the time zone

This setting determines which users can change the time zone of the computer. This setting capability poses no great risk for the computer. However, modifications to this setting affect all users and applications on the computer, which could cause confusion in shared terminal server environments.

Create a pagefile

This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

Create a token object

This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments in which security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

Create global objects

This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.

Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption.

Create permanent shared objects

This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.

Create symbolic links

This policy setting determines which users can create symbolic links. In Windows Server 2008, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system.

Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only members of the Administrators group can create symbolic links.

Debug programs

This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right. However, developers who are debugging new system components need it.

Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Deny log on as a batch job

This policy setting prohibits users from logging on to a computer through a batch-queue facility, which is a feature in Windows Server 2008 that you can use to schedule jobs to run automatically one or more times in the future.

Deny log on as a service

This policy setting determines whether users can log on as a service. Accounts that can log on as a service could be used to configure and launch new unauthorized services, such as a keylogger or other malware.

Deny log on locally

This policy setting prohibits users from logging on locally to the computer console. If unauthorized users can log on locally to a computer, they can download malicious code or elevate their privileges on the computer. In addition, if attackers have physical access to the console, there are other risks to consider. This user right should not be assigned to those users who need physical access to the computer console.

Deny log on through Terminal Services

This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

Enable computer and user accounts to be trusted for delegation

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory®. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

Force shutdown from a remote system

This policy setting allows users to shut down Windows–based computers from remote locations on the network. An unauthorized shut down of a server is a type of denial of service (DoS) condition that makes the computer unavailable to service user requests. Microsoft recommends to only assign this user right to highly trusted administrators.

Generate security audits

This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

Impersonate a client after authentication

This policy setting allows programs to impersonate a user so that the program can act on behalf of the user. Requiring authentication first helps prevent elevation of privilege attacks.

Services that the Service Control Manager starts have the built-in group "Service" added by default to their access tokens. COM servers that the COM infrastructure starts and configures to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.

In addition, a user can impersonate an access token if any of the following conditions exist:

  • The access token that is being impersonated is for the same user that is making the request.
  • The user, in this logon session, logged on to the network with explicit credentials to create the access token.
  • The requested level is less than Impersonate, such as Anonymous or Identify.

An attacker with the Impersonate a client after authentication user right could create a service that impersonates any logged on user in order to elevate the attacker's level of access to that of the logged on user or to the level of the client computer's system account.

Increase a process working set

This policy setting determines which user accounts can increase or decrease the size of a process working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

This right is granted to all users by default. However, increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service. Certain environments can help mitigate this risk by limiting which users can increase the process working set.

Increase scheduling priority

This policy setting allows users to change the amount of processor time that a process uses. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service (DoS) condition for a computer.

Load and unload device drivers

This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required to add local printers or printer drivers in Windows Server 2008.

Lock pages in memory

This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned and abused, significant degradation of system performance can occur.

Log on as a batch job

This policy setting allows accounts to log on using the Task Scheduler service. Because the Task Scheduler is often used for administrative purposes, you may need this right in the EC environment. However, Microsoft recommends restricting its use in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Log on as a service

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on all computers in an SSLF environment, but because many applications may require this right, you should carefully evaluate and test this setting before configuring it in an EC environment. On servers running Windows Server 2008, no users or groups have this right by default.

Manage auditing and security log

This policy setting determines which users can change the auditing options for files and directories and clear the Security log. Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Modify an object label

This policy setting determines which users can change the integrity level of objects, such as files, registry keys or processes owned by other users. Note that a user can change the integrity level of an object that is owned by that user to a lower level without holding this privilege.

Modify firmware environment values

This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values could lead to a hardware failure that would result in a DoS condition.

Because this capability represents a relatively small threat, this setting enforces the default value of the Administrators group for both the EC and SSLF environments.

Perform volume maintenance tasks

This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a DoS condition.

Profile single process

This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that they could use to mount an attack on the system.

Profile system performance

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. This setting enforces the default of the Administrators group for both the EC and SSLF environments.

Remove computer from docking station

This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. This setting is not usually relevant in server scenarios.

Replace a process level token

This policy setting allows one process or service to start another service or process with a different security access token, which an intruder can use to modify the security access token of that sub-process to escalate privileges. This setting enforces the default values of Local Service and Network Service for both the EC and SSLF environments.

Restore files and directories

This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Server 2008. This right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

Shut down the system

This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a DoS condition.

Synchronize directory service data

This policy setting determines which users have the authority to synchronize all directory service data.

Take ownership of files or other objects

This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user. This setting enforces the default value of the Administrators group for both the EC and SSLF environments.