Appendix C - User Rights and Privileges
The table below identifies the default user rights assignments on Windows 2000 systems, defines their applicability to the Windows 2000 Security Target, and provides change requirements and recommendations necessary to comply with Security Target objectives.
The table identifies the default user rights assigned to users on stand-alone Windows 2000 Professional and Server systems and on a Windows 2000 Domain Controller. It also identifies the default user rights in a Domain Security Policy (all "not-defined" by default). Assignments in the Domain Security Policy will override Local Security Policy settings for domain members. The "Required" changes noted in the table are necessary to meet compliance with ST requirements.
User right/privilege assignments can be found in the Local and Domain Security Policy GUI, as follows:
Windows 2000 Professional:
Administrative Tools Local Security Policy Security Settings\Local Policies\User Rights Assignment
Windows 2000 Server:
Administrative Tools Local Security Policy Security Settings\Local Policies\User Rights Assignment
Windows 2000 Domain Controller:
Administrative Tools Domain Controller Security Policy Windows Settings\Security Settings\Local Policies\User Rights Assignment
Administrative Tools Domain Security Policy Windows Settings\Security Settings\Local Policies\User Rights Assignment
User Rights/ Privileges |
Description |
Groups Assigned this Right on Stand Alone Windows 2000 Professional |
Groups Assigned this Right on Stand Alone Windows 2000 Servers |
Groups Assigned this Right in Windows 2000 Domain Security Policy (Located on Domain Controller) |
Groups Assigned this Right on Windows 2000 Domain Controller (Domain Controller Security Policy) |
Applicable Security Target Requirements and/or Rationale for Change |
|---|---|---|---|---|---|---|
Logon Rights |
||||||
Access this Computer from the Network (SeNetwork LogonRight) |
Determines which users are allowed to connect over the network to the computer. |
Default: Administrators Backup Operators Power Users Users Everyone Required Change: Administrators Backup Operators Power Users Users Authen. Users |
Default: Administrators Backup Operators Power Users Users Everyone Required Change: Administrators Backup Operators Power Users Users Authen. Users |
Default: (Not Defined) Required: No Change |
Default: Administrators Authen. Users Everyone Required Change: Administrators Authen. Users |
Supports the following TOE Security Functional Requirement: FIA_UAU.2.1, Authentication and FIA_UID.2, User Identification before any action. Implements the following TOE Security functions: Para 6.1.3, Identification and Authentication for network logons. Changes: Do not allow Guest/anonymous logons. Remove/replace accounts with a potential to allow unauthenticated/ anonymous access (if Guest were somehow enabled). Replace "Everyone" with "Authenticated" User. |
Log on as a batch job (SeBatch LogonRight) |
Allows a user to log on by using a batch-queue facility. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Log on locally (SeInteractive LogonRight) |
Allows a user to log on locally at the computers keyboard. |
Default: Administrators Backup Operators Power Users Users Machinename\ Guest Required Change: Administrators Backup Operators Power Users Users |
Default: Administrators Backup Operators Power Users Users Machinename\ Guest Machinename\ TsInternetUser Required Change: Administrators Backup Operators Power Users Users |
Default: (Not Defined) Required: No Change |
Default: Administrators Account Operators Backup Operators Print Operators Server Operators TsInternetUser Required Change: Administrators Account Operators Backup Operators Print Operators Server Operators |
Supports the following TOE Security Functional Requirement: FIA_UAU.2.1, Authentication and FIA_UID.2, User Identification before any action. Implements the following TOE Security functions: Para 6.1.3, Identification and Authentication for local logons. Changes: Do not allow Guest/anonymous logons. Remove Guest accounts since they allow unauthenticated/ anonymous access. Remove TsInternetUser account – Terminal Services will not be implemented for the TOE. |
Logon as a service (SeService LogonRight) |
Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Deny Access to this computer from the network (SeDenyNetwork LogonRight) |
Prohibits a user or group from connecting to the computer from the network. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Deny local logon (SeDenyInteractive LogonRight) |
Prohibits a user or group from logging on locally at the keyboard. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Deny logon as a batch file (SeDenyBatch LogonRight) |
Prohibits a user or group from logging on through a batch-queue facility. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Deny logon as a service (SeDenyService LogonRight) |
Prohibits a user or group from logging on as a service. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Privileges |
||||||
Act as part of the operating system (SeTcbPrivilege) |
Allow a process to authenticate as a user and thus gain access to the same resources as a user. Only low-level authentication services should require this service. The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, the anonymous token does not provide a primary identity for tracking events in the audit log. The LocalSystem account uses this privilege by default. |
Default: None Required: No Change |
Default: None Required: No Change |
Default: (Not Defined) Required: No Change |
Default: None Required: No Change |
Default settings support the following TOE Security Functional Requirements: FPT_SEP.1.2, Domain Separation. Misuse of this privilege can violate FAU_GEN.1, Audit Generation, FAU_GEN.2, User Identity Association, and FIA_USB.1, User Subject Binding. Implements the following TOE Security functions: Para 6.1.5.5, Domain Separation. Use of this privilege by accounts other than LocalSystem can violate the accountability security requirement due to the potential for generating anonymous tokens. Changes: Set the Domain Policy to None to enforce the default settings on the domain and ensure support of FPT_SEP.1.2, FAU_GEN.1, FAU_GEN.2, and FIA_USB.1. |
Add workstations to the domain (SeMachine AccountPrivilege) |
Allows a user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain. In Windows 2000, the behavior of this privilege is duplicated by the Create Computer Objects permission for organizational units and the default Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain. |
Default: None Required: No Change |
Default: None Required: No Change |
Default: (Not Defined) Required: No Change |
Default: Authen. Users Required Change: Domain Admins |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Implements the following TOE Security functions: Para 6.1.4.1, Security Management Functions, describing the domain management function that allows an "authorized administrator" to add and remove machines to and from a domain. Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to add and remove machines from the domain. Changes: Set the default on Domain Controller Security Policy from Authenticated Users to Domain Admins to ensure trusted administration and configuration control of the domain infrastructure. |
Backup files and directories (SeBackup Privilege) |
Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply. |
Default: Administrators Backup Operators Required: No Change |
Default: Administrators Backup Operators Required: No Change |
Default: (Not Defined) Required: No Change |
Default: Administrators Backup Operators Server Operators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to conduct backups. Do not assign this privilege to any account, other than the defaults, in order to ensure that only authorized administrators are granted this right though membership in the Administrators, Backup Operators, or Server Operators groups. |
Bypass traverse checking (SeChange NotifyPrivilege) |
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the Registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. |
Default: Administrators Backup Operators Power Users Users Everyone Recommended Change: No Change |
Default: Administrators Backup Operators Power Users Users Everyone Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: Administrators Authen. Users Everyone Recommended Change: No Change |
|
Change the system time (SeSystem TimePrivilege) |
Allows the user to set the time for the internal clock of the computer. |
Default: Administrators Power Users Required Change: No Change |
Default: Administrators Power Users Required Change: No Change |
Default: (Not Defined) Required Change: No Change |
Default: Administrators Server Operators Required Change: No Change |
Default settings support the following TOE Security Functional Requirements: FMT_SMR.1 Security Roles, and FMT_MTD.1.1(g) Management of TSF Time. Implements the following TOE Security functions: Para 6.1.4.1, Roles and para 6.1.5.6 Time Service. Can be used to grant authorized users the privilege to set the system time. |
Create a token object (SeCreate TokenPrivilege) |
Allows a process to create an access token by calling NtCreateToken() or other token token-creating APIs. |
Default: None Required Change: No Change |
Default: None Required Change: No Change |
Default: (Not Defined) Required: None |
Default: None Required: No Change |
Default settings support the following TOE Security Functional Requirements: FPT_SEP.1.2, Domain Separation. Implements the following TOE Security functions: Para 6.1.5.5, Domain Separation. The use of this privilege is not auditable. Misuse of this privilege can lead to the violation of FIA_USB.1, User Subject Binding, and FAU_GEN.1, Audit Data Generation. Change: Set the Domain Policy to None for this privilege to enforce the default settings on the domain and ensure support of FPT_SEP.1.2. When a process requires this privilege, use the LocalSystem account (which already has this privilege), rather than creating a separate account and assigning it this privilege to it. |
Create permanent shared objects (SeCreate PermanentPrivilege) |
Allow a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege; it is not necessary to assign it to them. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Create a pagefile (SeCreate Pagefile Privilege) |
Allows the user to create and change the size of a pagefile. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required: Administrators |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to change pagefile settings. Change: Set the Domain Policy to Administrators for this privilege to support trusted administration and protect against unauthorized system modifications. |
Debug programs (SeDebug Privilege) |
Allows the user to attach a debugger to any process. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required: No Change |
Default: Administrators Required: No Change |
Assignment of this privilege violates the FAU_GEN.1, Audit Data Generation and FDP_ACF.1(a), Discretionary Access Control TOE Security Functional Requirements. This privilege allows the user access to objects regardless of the ACLs. This privilege is not auditable and should not be assigned to any users, including administrators. Changes: Changed all default privilege assignments to None to ensure compliance with FAU_GEN.1 and FDP_ACF.1(a). |
Enable computer and user accounts to be trusted for delegation (SeEnable Delegation Privilege) |
Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flag on the object. |
Default: None Required: No Change |
Default: None Required: No Change |
Default: (Not Defined) Required Change: None |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the Trusted for Delegation settings on a user or computer in Active Directory. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources. Changes: Set the Domain Policy to None for this privilege to protect against the unauthorized access and modification. |
Force shutdown from a remote system (SeRemote Shutdown Privilege) |
Allows a user to shut down a computer from a remote location on the network. |
Default: Administrators Recommended Change: No Change |
Default: Administrators Recommended Change: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Server Operators Recommended Change: No Change |
|
Generate security audits (SeAudit Privilege) |
Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access and other security relevant activities. |
Default: None Required: No Change |
Default: None Required: No Change |
Default: (Not Defined) Required: No Change |
Default: None Required: No Change |
Supports the following TOE security requirement through the LocalSystem account: FAU_GEN.1.1, Audit Data Generation. If granted to users, this privilege would allow non-TFS generated audit records in the audit log. Use of this privilege is not auditable. Changes: Set the Domain Policy to None for this privilege. This privilege should not be allowed for any user, including administrators. |
Increase quotas (SeIncrease QuotaPrivilege) |
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack. |
Default: Administrators Recommended: No Change |
Default: Administrators Recommended: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Recommended: No Change |
Could be used to support the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. However, there is not an ST requirement that specifically mandates that this ability be restricted to the administrator. Can support the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to increase the processor quota assigned to a process. Misuse of this privilege can cause a Denial of service, which is a serious security issue. Since managing the processor quota affects performance and availability. However, the ST does not claim to address Denial of Service. Changes: Set the Domain Policy to Administrators for this privilege to enforce trusted administration. |
Increase scheduling priority (SeIncrease BasePriority Privilege) |
Allows a process that has Write Property access to another process to increase the execution priority of the other process. |
Default: Administrators Recommended: No Change |
Default: Administrators Recommended: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Recommended: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. However, there is not an ST requirement that specifically mandates that this ability be restricted to the administrator. Can be used to support the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to increase process execution priorities. Misuse of this privilege can cause a Denial of service, which is a serious security issue. Since managing the processor quota affects performance and availability. However, the ST does not claim to address Denial of Service. Changes: Set the Domain Policy to Administrators for this privilege to enforce trusted administration. |
Load and unload device drivers (SeLoad Driver Privilege) |
Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; only Administrators can install these device drivers. Note that device drivers run as Trusted (highly privileged) processes; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to install and configure device drivers. Changes: Set the Domain Policy to Administrators for this privilege to support trusted administration. |
Lock pages in memory (SeLock Memory Privilege) |
Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: None Recommended Change: No Change |
|
Manage auditing and security log (SeSecurity Privilege) |
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys. Object access auditing is not actually performed unless it has been enabled it in Audit Policy. A user who has this privilege also can view and clear the security log from event viewer. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles, FAU_SAR.1.1, Audit Review, FAU_SAR.2.1, Restricted Audit Review, FAU_SAR.3, Selectable Audit Review, FAU_SEL.1, Selective Audit, FAU_STG.1.1, FAU_STG.1.2, Guarantees of Audit Availability FMT_MOF.1.1(a), Management of Audit FMT_MTD.1.1(a), Management of the Audit Trail FMT_MTD.1.1(b), Management of Audited Events Implements the following TOE Security functions: Para 6.1.4.1, Roles and para 6.1.1 Audit Function. Can be used to grant authorized users the administrative capability to configure and manage audit data. Changes: Set the Domain Policy to Administrators for this privilege to support trusted administration. |
Modify firmware environment values (SeSystem Environment Privilege) |
Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet. |
Default: Administrators Recommended Change: No Change |
Default: Administrators Recommended Change: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommended Change: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to modify system environment variables. Changes: Set the Domain Policy to Administrators for this privilege to support trusted administration. |
Profile a single process (SeProfile SingleProcess Privilege) |
Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes. |
Default: Administrators Power Users Recommended Change: No Change |
Default: Administrators Power Users Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: Administrators Recommended Change: No Change |
Could be used to supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Could be used to support the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability run performance diagnostics of nonsystem processes. However, the ST does not claim to address the ability provided by this privilege specifically. |
Profile system performance (SeSystem ProfilePrivilege) |
Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles Supports the following TOE Security functions: Para 6.1.4.1, Roles and para 6.1.5.1, System Integrity. Can be used to grant authorized users the administrative capability to performance diagnostics of system processes. Changes: Set the Domain Policy to Administrators for this privilege to support trusted administration. |
Remove computer from docking station (SeUndock Privilege) |
Allows a user of a portable computer to unlock the computer by clicking "Eject PC" on the Start menu. |
Default: Administrators Power Users Users Recommended Change: No Change |
Default: Administrators Power Users Users Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: Administrators Recommended Change: No Change |
|
Replace a process-level token (SeAssign PrimaryToken Privilege) |
Allows a parent process to replace the access token that is associated with a child process. |
Default: None Required: No Change |
Default: None Required: No Change |
Default: (Not Defined) Required: No Change |
Default: None Required: No Change |
Assignment of this privilege violates the following TOE Security Functional Requirement: FDP_ACF.1(a), Discretionary Access Control Functions and FIA_USB.1, User Subject Binding, and FAU_GEN.1, Audit Data Generation. This privilege is not auditable. Changes: Changed default Domain Security Policy privilege assignments to None to ensure Domain compliance with FDP_ACF.1(a), FIA_USB.1, and FAU_GEN.1. Do not assign this privilege to any user. |
Restore files and directories (SeRestore Privilege) |
Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. |
Default: Administrators Backup Operators Required: No Change |
Default: Administrators Backup Operators Required: No Change |
Default: (Not Defined) Required: No Change |
Default: Administrators Backup Operators Server Operators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to restore backups. Do not assign this privilege to any account, other than the defaults, in order to ensure that only authorized administrators are granted this right though membership in the Administrators, Backup Operators, or Server Operators groups. |
Shut down the system (SeShutdown Privilege) |
Allows a user to shut down the local computer. |
Default: Administrators BACKUP OPERATORS Power Users Users Recommended Change: Administrators Backup Operators Power Users Authenticated Users |
Default: Administrators Backup Operators Power Users Recommended Change: Administrators Backup Operators Power Users Authenticated Users |
Default: (Not Defined) Recommended Change: No Change |
Default: Administrators Account Operators Backup Operators Server Operators Print Operators Recommended Change: No Change |
|
Synchronize directory service data (SeSyncAgent Privilege) |
Allows a service to provide directory synchronization services. This privilege is relevant only on Domain Controllers. Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: (Not Defined) Recommended Change: No Change |
Default: Administrator Recommended Change: No Change |
|
Take ownership of files or other objects (SeTake Ownership Privilege) |
Allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, Registry keys, processes, and threads. |
Default: Administrators Required: No Change |
Default: Administrators Required: No Change |
Default: (Not Defined) Required Change: Administrators |
Default: Administrators Required: No Change |
Supports the following TOE Security Functional Requirement: FMT_SMR.1 Security Roles. Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions. Implements the following TOE Security functions: Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability of any securable object in the system. Changes: Set the Domain Policy to Administrators for this privilege to support trusted administration. |
Read unsolicited data from a terminal device (SeUnsolicited InputPrivilege) |
Required to read unsolicited input from a terminal device. It is obsolete and unused. it has no effect on the system. |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |
Default: None Recommended Change: No Change |