Export (0) Print
Expand All

Appendix C - User Rights and Privileges

The table below identifies the default user rights assignments on Windows 2000 systems, defines their applicability to the Windows 2000 Security Target, and provides change requirements and recommendations necessary to comply with Security Target objectives.

The table identifies the default user rights assigned to users on stand-alone Windows 2000 Professional and Server systems and on a Windows 2000 Domain Controller. It also identifies the default user rights in a Domain Security Policy (all "not-defined" by default). Assignments in the Domain Security Policy will override Local Security Policy settings for domain members. The "Required" changes noted in the table are necessary to meet compliance with ST requirements.

User right/privilege assignments can be found in the Local and Domain Security Policy GUI, as follows:

  • Windows 2000 Professional:

    Administrative Tools Local Security Policy Security Settings\Local Policies\User Rights Assignment

  • Windows 2000 Server:

    Administrative Tools Local Security Policy Security Settings\Local Policies\User Rights Assignment

  • Windows 2000 Domain Controller:

    Administrative Tools Domain Controller Security Policy Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Administrative Tools Domain Security Policy Windows Settings\Security Settings\Local Policies\User Rights Assignment

User Rights/ Privileges

Description

Groups Assigned this Right on Stand Alone Windows 2000 Professional

Groups Assigned this Right on Stand Alone Windows 2000 Servers

Groups Assigned this Right in Windows 2000 Domain Security Policy (Located on Domain Controller)

Groups Assigned this Right on Windows 2000 Domain Controller (Domain Controller Security Policy)

Applicable Security Target Requirements and/or Rationale for Change

Logon Rights

           

Access this Computer from the Network

(SeNetwork LogonRight)

Determines which users are allowed to connect over the network to the computer.

Default:

Administrators

Backup Operators

Power Users

Users

Everyone

Required Change:

Administrators

Backup Operators

Power Users

Users

Authen. Users

Default:

Administrators

Backup Operators

Power Users

Users

Everyone

Required Change:

Administrators

Backup Operators

Power Users

Users

Authen. Users

Default:

(Not Defined)

Required:

No Change

Default:

Administrators

Authen. Users

Everyone

Required Change:

Administrators

Authen. Users

Supports the following TOE Security Functional Requirement:

FIA_UAU.2.1, Authentication and FIA_UID.2, User Identification before any action.

Implements the following TOE Security functions:

Para 6.1.3, Identification and Authentication for network logons.

Changes:

Do not allow Guest/anonymous logons. Remove/replace accounts with a potential to allow unauthenticated/ anonymous access (if Guest were somehow enabled). Replace "Everyone" with "Authenticated" User.

Log on as a batch job

(SeBatch LogonRight)

Allows a user to log on by using a batch-queue facility.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Log on locally

(SeInteractive LogonRight)

Allows a user to log on locally at the computers keyboard.

Default:

Administrators

Backup Operators

Power Users

Users

Machinename\ Guest

Required Change:

Administrators

Backup Operators

Power Users

Users

Default:

Administrators

Backup Operators

Power Users

Users

Machinename\ Guest

Machinename\ TsInternetUser

Required Change:

Administrators

Backup Operators

Power Users

Users

Default:

(Not Defined)

Required:

No Change

Default:

Administrators

Account Operators

Backup Operators

Print Operators

Server Operators

TsInternetUser

Required Change:

Administrators

Account Operators

Backup Operators

Print Operators

Server Operators

Supports the following TOE Security Functional Requirement:

FIA_UAU.2.1, Authentication and FIA_UID.2, User Identification before any action.

Implements the following TOE Security functions:

Para 6.1.3, Identification and Authentication for local logons.

Changes:

Do not allow Guest/anonymous logons. Remove Guest accounts since they allow unauthenticated/ anonymous access. Remove TsInternetUser account – Terminal Services will not be implemented for the TOE.

Logon as a service

(SeService LogonRight)

Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Deny Access to this computer from the network

(SeDenyNetwork LogonRight)

Prohibits a user or group from connecting to the computer from the network.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Deny local logon

(SeDenyInteractive LogonRight)

Prohibits a user or group from logging on locally at the keyboard.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Deny logon as a batch file

(SeDenyBatch LogonRight)

Prohibits a user or group from logging on through a batch-queue facility.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Deny logon as a service

(SeDenyService LogonRight)

Prohibits a user or group from logging on as a service.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Privileges

           

Act as part of the operating system

(SeTcbPrivilege)

Allow a process to authenticate as a user and thus gain access to the same resources as a user. Only low-level authentication services should require this service.

The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, the anonymous token does not provide a primary identity for tracking events in the audit log.

The LocalSystem account uses this privilege by default.

Default:

None

Required:

No Change

Default:

None

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

None

Required:

No Change

Default settings support the following TOE Security Functional Requirements:

FPT_SEP.1.2, Domain Separation.

Misuse of this privilege can violate FAU_GEN.1, Audit Generation, FAU_GEN.2, User Identity Association, and FIA_USB.1, User Subject Binding.

Implements the following TOE Security functions:

Para 6.1.5.5, Domain Separation.

Use of this privilege by accounts other than LocalSystem can violate the accountability security requirement due to the potential for generating anonymous tokens.

Changes:

Set the Domain Policy to None to enforce the default settings on the domain and ensure support of FPT_SEP.1.2, FAU_GEN.1, FAU_GEN.2, and FIA_USB.1.

Add workstations to the domain

(SeMachine AccountPrivilege)

Allows a user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain.

In Windows 2000, the behavior of this privilege is duplicated by the Create Computer Objects permission for organizational units and the default Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain.

Default:

None

Required:

No Change

Default:

None

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

Authen. Users

Required Change:

Domain Admins

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Implements the following TOE Security functions:

Para 6.1.4.1, Security Management Functions, describing the domain management function that allows an "authorized administrator" to add and remove machines to and from a domain.

Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to add and remove machines from the domain.

Changes:

Set the default on Domain Controller Security Policy from Authenticated Users to Domain Admins to ensure trusted administration and configuration control of the domain infrastructure.

Backup files and directories

(SeBackup Privilege)

Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply.

Default:

Administrators

Backup Operators

Required:

No Change

Default:

Administrators

Backup Operators

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

Administrators

Backup Operators

Server Operators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to conduct backups.

Do not assign this privilege to any account, other than the defaults, in order to ensure that only authorized administrators are granted this right though membership in the Administrators, Backup Operators, or Server Operators groups.

Bypass traverse checking

(SeChange NotifyPrivilege)

Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the Registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

Default:

Administrators

Backup Operators Power Users

Users

Everyone

Recommended Change:

No Change

Default:

Administrators

Backup Operators Power Users

Users

Everyone

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

Administrators

Authen. Users

Everyone

Recommended Change:

No Change

 

Change the system time

(SeSystem TimePrivilege)

Allows the user to set the time for the internal clock of the computer.

Default:

Administrators Power Users

Required Change:

No Change

Default:

Administrators Power Users

Required Change:

No Change

Default:

(Not Defined)

Required Change:

No Change

Default:

Administrators

Server Operators

Required Change:

No Change

Default settings support the following TOE Security Functional Requirements:

FMT_SMR.1 Security Roles, and FMT_MTD.1.1(g) Management of TSF Time.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles and para 6.1.5.6 Time Service. Can be used to grant authorized users the privilege to set the system time.

Create a token object

(SeCreate TokenPrivilege)

Allows a process to create an access token by calling NtCreateToken() or other token token-creating APIs.

Default:

None

Required Change:

No Change

Default:

None

Required Change:

No Change

Default:

(Not Defined)

Required:

None

Default:

None

Required:

No Change

Default settings support the following TOE Security Functional Requirements:

FPT_SEP.1.2, Domain Separation.

Implements the following TOE Security functions:

Para 6.1.5.5, Domain Separation.

The use of this privilege is not auditable.

Misuse of this privilege can lead to the violation of FIA_USB.1, User Subject Binding, and FAU_GEN.1, Audit Data Generation.

Change:

Set the Domain Policy to None for this privilege to enforce the default settings on the domain and ensure support of FPT_SEP.1.2.

When a process requires this privilege, use the LocalSystem account (which already has this privilege), rather than creating a separate account and assigning it this privilege to it.

Create permanent shared objects

(SeCreate PermanentPrivilege)

Allow a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege; it is not necessary to assign it to them.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Create a pagefile

(SeCreate Pagefile Privilege)

Allows the user to create and change the size of a pagefile.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required:

Administrators

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to change pagefile settings.

Change:

Set the Domain Policy to Administrators for this privilege to support trusted administration and protect against unauthorized system modifications.

Debug programs

(SeDebug Privilege)

Allows the user to attach a debugger to any process.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

Administrators

Required:

No Change

Assignment of this privilege violates the FAU_GEN.1, Audit Data Generation and FDP_ACF.1(a), Discretionary Access Control TOE Security Functional Requirements.

This privilege allows the user access to objects regardless of the ACLs. This privilege is not auditable and should not be assigned to any users, including administrators.

Changes:

Changed all default privilege assignments to None to ensure compliance with FAU_GEN.1 and FDP_ACF.1(a).

Enable computer and user accounts to be trusted for delegation

(SeEnable Delegation Privilege)

Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flag on the object.

Default:

None

Required:

No Change

Default:

None

Required:

No Change

Default:

(Not Defined)

Required Change:

None

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the Trusted for Delegation settings on a user or computer in Active Directory.

Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources.

Changes:

Set the Domain Policy to None for this privilege to protect against the unauthorized access and modification.

Force shutdown from a remote system

(SeRemote Shutdown Privilege)

Allows a user to shut down a computer from a remote location on the network.

Default:

Administrators

Recommended Change:

No Change

Default:

Administrators

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Server Operators

Recommended Change:

No Change

 

Generate security audits

(SeAudit Privilege)

Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access and other security relevant activities.

Default:

None

Required:

No Change

Default:

None

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

None

Required:

No Change

Supports the following TOE security requirement through the LocalSystem account:

FAU_GEN.1.1, Audit Data Generation.

If granted to users, this privilege would allow non-TFS generated audit records in the audit log. Use of this privilege is not auditable.

Changes:

Set the Domain Policy to None for this privilege. This privilege should not be allowed for any user, including administrators.

Increase quotas

(SeIncrease QuotaPrivilege)

Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack.

Default:

Administrators

Recommended:

No Change

Default:

Administrators

Recommended:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Recommended:

No Change

Could be used to support the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

However, there is not an ST requirement that specifically mandates that this ability be restricted to the administrator.

Can support the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to increase the processor quota assigned to a process.

Misuse of this privilege can cause a Denial of service, which is a serious security issue. Since managing the processor quota affects performance and availability. However, the ST does not claim to address Denial of Service.

Changes:

Set the Domain Policy to Administrators for this privilege to enforce trusted administration.

Increase scheduling priority

(SeIncrease BasePriority Privilege)

Allows a process that has Write Property access to another process to increase the execution priority of the other process.

Default:

Administrators

Recommended:

No Change

Default:

Administrators

Recommended:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Recommended:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

However, there is not an ST requirement that specifically mandates that this ability be restricted to the administrator.

Can be used to support the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to increase process execution priorities.

Misuse of this privilege can cause a Denial of service, which is a serious security issue. Since managing the processor quota affects performance and availability. However, the ST does not claim to address Denial of Service.

Changes:

Set the Domain Policy to Administrators for this privilege to enforce trusted administration.

Load and unload device drivers

(SeLoad Driver Privilege)

Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; only Administrators can install these device drivers. Note that device drivers run as Trusted (highly privileged) processes; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to install and configure device drivers.

Changes:

Set the Domain Policy to Administrators for this privilege to support trusted administration.

Lock pages in memory

(SeLock Memory Privilege)

Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 

Manage auditing and security log

(SeSecurity Privilege)

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys. Object access auditing is not actually performed unless it has been enabled it in Audit Policy. A user who has this privilege also can view and clear the security log from event viewer.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles,

FAU_SAR.1.1, Audit Review,

FAU_SAR.2.1, Restricted Audit Review, FAU_SAR.3, Selectable Audit Review, FAU_SEL.1, Selective Audit,

FAU_STG.1.1, FAU_STG.1.2, Guarantees of Audit Availability

FMT_MOF.1.1(a), Management of Audit

FMT_MTD.1.1(a), Management of the Audit Trail

FMT_MTD.1.1(b), Management of Audited Events

Implements the following TOE Security functions:

Para 6.1.4.1, Roles and para 6.1.1 Audit Function. Can be used to grant authorized users the administrative capability to configure and manage audit data.

Changes:

Set the Domain Policy to Administrators for this privilege to support trusted administration.

Modify firmware environment values

(SeSystem Environment Privilege)

Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet.

Default:

Administrators

Recommended Change:

No Change

Default:

Administrators

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

Administrators

Default:

Administrators

Recommended Change:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability to modify system environment variables.

Changes:

Set the Domain Policy to Administrators for this privilege to support trusted administration.

Profile a single process

(SeProfile SingleProcess Privilege)

Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes.

Default:

Administrators

Power Users

Recommended Change:

No Change

Default:

Administrators

Power Users

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

Administrators

Recommended Change:

No Change

Could be used to supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Could be used to support the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability run performance diagnostics of nonsystem processes.

However, the ST does not claim to address the ability provided by this privilege specifically.

Profile system performance

(SeSystem ProfilePrivilege)

Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles

Supports the following TOE Security functions:

Para 6.1.4.1, Roles and para 6.1.5.1, System Integrity. Can be used to grant authorized users the administrative capability to performance diagnostics of system processes.

Changes:

Set the Domain Policy to Administrators for this privilege to support trusted administration.

Remove computer from docking station

(SeUndock Privilege)

Allows a user of a portable computer to unlock the computer by clicking "Eject PC" on the Start menu.

Default:

Administrators

Power Users

Users

Recommended Change:

No Change

Default:

Administrators

Power Users

Users

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

Administrators

Recommended Change:

No Change

 

Replace a process-level token

(SeAssign PrimaryToken Privilege)

Allows a parent process to replace the access token that is associated with a child process.

Default:

None

Required:

No Change

Default:

None

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

None

Required:

No Change

Assignment of this privilege violates the following TOE Security Functional Requirement:

FDP_ACF.1(a), Discretionary Access Control Functions and FIA_USB.1, User Subject Binding, and FAU_GEN.1, Audit Data Generation.

This privilege is not auditable.

Changes:

Changed default Domain Security Policy privilege assignments to None to ensure Domain compliance with FDP_ACF.1(a), FIA_USB.1, and FAU_GEN.1.

Do not assign this privilege to any user.

Restore files and directories

(SeRestore Privilege)

Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object.

Default:

Administrators

Backup Operators

Required:

No Change

Default:

Administrators

Backup Operators

Required:

No Change

Default:

(Not Defined)

Required:

No Change

Default:

Administrators

Backup Operators

Server Operators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the privilege to restore backups.

Do not assign this privilege to any account, other than the defaults, in order to ensure that only authorized administrators are granted this right though membership in the Administrators, Backup Operators, or Server Operators groups.

Shut down the system

(SeShutdown Privilege)

Allows a user to shut down the local computer.

Default:

Administrators

BACKUP OPERATORS

Power Users

Users

Recommended Change:

Administrators

Backup Operators

Power Users

Authenticated Users

Default:

Administrators

Backup Operators

Power Users

Recommended Change:

Administrators

Backup Operators

Power Users

Authenticated Users

Default:

(Not Defined)

Recommended Change:

No Change

Default:

Administrators

Account Operators

Backup Operators

Server Operators

Print Operators

Recommended Change:

No Change

 

Synchronize directory service data

(SeSyncAgent Privilege)

Allows a service to provide directory synchronization services. This privilege is relevant only on Domain Controllers.

Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

(Not Defined)

Recommended Change:

No Change

Default:

Administrator

Recommended Change:

No Change

 

Take ownership of files or other objects

(SeTake Ownership Privilege)

Allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, Registry keys, processes, and threads.

Default:

Administrators

Required:

No Change

Default:

Administrators

Required:

No Change

Default:

(Not Defined)

Required Change:

Administrators

Default:

Administrators

Required:

No Change

Supports the following TOE Security Functional Requirement:

FMT_SMR.1 Security Roles.

Misuse of this privilege violates FDP_ACF.1(a), Discretionary Access Control by allowing a user to bypass ACL restrictions.

Implements the following TOE Security functions:

Para 6.1.4.1, Roles. Can be used to grant authorized users the administrative capability of any securable object in the system.

Changes:

Set the Domain Policy to Administrators for this privilege to support trusted administration.

Read unsolicited data from a terminal device

(SeUnsolicited InputPrivilege)

Required to read unsolicited input from a terminal device. It is obsolete and unused. it has no effect on the system.

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

Default:

None

Recommended Change:

No Change

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft