Appendix B - User Rights and Privileges

The table below identifies the default user rights assignments on Windows 2000 systems and provides a list of changes recommended earlier in this document.

The table identifies the default user rights assigned to users on stand-alone Windows 2000 Professional and Server systems and on a Windows 2000 Domain Controller. It also identifies the default user rights in a Domain Security Policy (all not-defined by default). Assignments in the Domain Security Policy will override Local Security Policy settings for domain members.

User right/privilege assignments can be found in the Local and Domain Security Policy GUI, as follows:

  • Windows 2000 Professional:

    Administrative Tools --> Local Security Policy --> Security Settings\Local Policies\User Rights Assignment

  • Windows 2000 Server:

    Administrative Tools --> Local Security Policy --> Security Settings\Local Policies\User Rights Assignment

  • Windows 2000 Domain Controller:

    Administrative Tools --> Domain Controller Security Policy --> Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Administrative Tools --> Domain Security Policy --> Windows Settings\Security Settings\Local Policies\User Rights Assignment

User Rights/Privileges

Description

Groups Assigned this Right on Stand Alone Windows 2000 Professional

Groups Assigned this Right on Stand Alone Windows 2000 Servers

Groups Assigned this Right in Windows 2000 Domain Security Policy (Located on Domain Controller)

Groups Assigned this Right on Windows 2000 Domain Controller with AD Services (Domain Controller Security Policy)

Logon Rights

         

Access this Computer from the Network

(SeNetworkLogonRight)

Determines which users are allowed to connect over the network to the computer.

Default:

Administrators

Backup Operators

Power Users

Users

Everyone

Recommended Change:

Administrators

Backup Operators

Power Users

Users

Authen. Users

Default:

Administrators

Backup Operators

Power Users

Users

Everyone

Recommended Change:

Administrators

Backup Operators

Power Users

Users

Authen. Users

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Authen. Users

Everyone

Recommended Change:

Administrators

Authen. Users

Log on as a batch job

(SeBatchLogonRight)

Allows a user to log on by using a batch-queue facility.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Log on locally

(SeInteractiveLogonRight)

Allows a user to log on locally at the computers keyboard.

Default:

Administrators

Backup Operators

Power Users

Users

Machinename\Guest

Recommended Change:

Administrators

Backup Operators

Power Users

Users

Default:

Administrators

Backup Operators

Power Users

Users

Machinename\Guest

Machinename\TsInternetUser

Recommended Change:

Administrators

Backup Operators

Power Users

Users

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Account Operators

Backup Operators

Print Operators

Server Operators

TsInternetUser

Recommended Change:

Administrators

Account Operators

Backup Operators

Print Operators

Server Operators

Logon as a service

(SeServiceLogonRight)

Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Deny Access to this computer from the network

(SeDenyNetworkLogonRight)

Prohibits a user or group from connecting to the computer from the network.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Deny local logon

(SeDenyInteractiveLogonRight)

Prohibits a user or group from logging on locally at the keyboard.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Deny logon as a batch file

(SeDenyBatchLogonRight)

Prohibits a user or group from logging on through a batch-queue facility.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Deny logon as a service

(SeDenyServiceLogonRight)

Prohibits a user or group from logging on as a service.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Privileges

         

Act as part of the operating system

(SeTcbPrivilege)

Allow a process to authenticate as a user and thus gain access to the same resources as a user. Only low-level authentication services should require this service.

The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, the anonymous token does not provide a primary identity for tracking events in the audit log.

The LocalSystem account uses this privilege by default.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Add workstations to the domain

(SeMachineAccountPrivilege)

Allows a user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain.

In Windows 2000, the behavior of this privilege is duplicated by the Create Computer Objects permission for organizational units and the default Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Authen. Users

Recommended Change:

Domain Admins

Backup files and directories

(SeBackupPrivilege)

Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply.

Default:

Administrators

Backup Operators

Recommendation:

No Change

Default:

Administrators

Backup Operators

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Backup Operators

Server Operators

Recommendation:

No Change

Bypass traverse checking

(SeChangeNotifyPrivilege)

Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the Registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

Default:

Administrators

Backup Operators Power Users

Users

Everyone

Recommendation:

No Change

Default:

Administrators

Backup Operators Power Users

Users

Everyone

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Authen. Users

Everyone

Recommendation:

No Change

Change the system time

(SeSystemTimePrivilege)

Allows the user to set the time for the internal clock of the computer.

Default:

Administrators Power Users

Recommendation:

No Change

Default:

Administrators Power Users

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Server Operators

Recommendation:

No Change

Create a token object

(SeCreateTokenPrivilege)

Allows a process to create an access token by calling NtCreateToken() or other token token-creating APIs.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Create permanent shared objects

(SeCreatePermanentPrivilege)

Allow a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege; it is not necessary to assign it to them.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Create a pagefile

(SeCreatePagefilePrivilege)

Allows the user to create and change the size of a pagefile.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Debug programs

(SeDebugPrivilege)

Allows the user to attach a debugger to any process.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Enable computer and user accounts to be trusted for delegation

(SeEnableDelegationPrivilege)

Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flag on the object.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Force shutdown from a remote system

(SeRemoteShutdownPrivilege)

Allows a user to shut down a computer from a remote location on the network.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Server Operators

Recommendation:

No Change

Generate security audits

(SeAuditPrivilege)

Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access and other security relevant activities.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Increase quotas

(SeIncreaseQuotaPrivilege)

Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Increase scheduling priority

(SeIncreaseBasePriorityPrivilege)

Allows a process that has Write Property access to another process to increase the execution priority of the other process.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Load and unload device drivers

(SeLoadDriverPrivilege)

Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; only Administrators can install these device drivers. Note that device drivers run as Trusted (highly privileged) processes; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Lock pages in memory

(SeLockMemoryPrivilege)

Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Manage auditing and security log

(SeSecurityPrivilege)

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys. Object access auditing is not actually performed unless it has been enabled it in Audit Policy. A user who has this privilege also can view and clear the security log from event viewer.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Modify firmware environment values

(SeSystemEnvironmentPrivilege)

Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Profile a single process

(SeProfileSingleProcessPrivilege)

Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes.

Default:

Administrators

Power Users

Recommendation:

No Change

Default:

Administrators

Power Users

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Profile system performance

(SeSystemProfilePrivilege)

Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Remove computer from docking station

(SeUndockPrivilege)

Allows a user of a portable computer to unlock the computer by clicking Eject PC on the Start menu.

Default:

Administrators

Power Users

Users

Recommendation:

No Change

Default:

Administrators

Power Users

Users

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Replace a process-level token

(SeAssignPrimaryTokenPrivilege)

Allows a parent process to replace the access token that is associated with a child process.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Restore files and directories

(SeRestorePrivilege)

Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object.

Default:

Administrators

Backup Operators

Recommendation:

No Change

Default:

Administrators

Backup Operators

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Backup Operators

Server Operators

Recommendation:

No Change

Shut down the system

(SeShutdownPrivilege)

Allows a user to shut down the local computer.

Default:

Administrators

BACKUP OPERATORS

Power Users

Users

Recommended Change:

Administrators

Backup Operators

Power Users

Authenticated Users

Default:

Administrators

Backup Operators

Power Users

Recommended Change:

Administrators

Backup Operators

Power Users

Authenticated Users

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrators

Account Operators

Backup Operators

Server Operators

Print Operators

Recommendation:

No Change

Synchronize directory service data

(SeSyncAgentPrivilege)

Allows a service to provide directory synchronization services. This privilege is relevant only on Domain Controllers.

Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

(Not Defined)

Recommendation:

No Change

Default:

Administrator

Recommendation:

No Change

Take ownership of files or other objects

(SeTakeOwnershipPrivilege)

Allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, Registry keys, processes, and threads.

Default:

Administrators

Recommendation:

No Change

Default:

Administrators

Recommendation:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommendation:

No Change

Read unsolicited data from a terminal device

(SeUnsolicitedInputPrivilege)

Required to read unsolicited input from a terminal device. It is obsolete and unused. it has no effect on the system.

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change

Default:

None

Recommendation:

No Change