Threats and Countermeasures Guide: User Rights
This section of the Threats and Countermeasures Guide discusses user rights. User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or a domain. User rights include logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to computer and domain resources and can override permissions that have been set on specific objects. Privileges are managed in Group Policy under User Rights Assignment.
An example of a logon right is the ability to log on to a computer locally. An example of a privilege is the ability to shut down the computer. Both types of user rights are assigned by administrators to individual users or groups as part of the security settings for the computer.
Each user right has a constant name and Group Policy setting associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC): Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
The following table identifies the user right Group Policy setting and its associated constant name.
Group Policy Setting | Constant Name |
---|---|
Access Credential Manager as a trusted caller |
SeTrustedCredManAccessPrivilege |
Access this computer from the network |
SeNetworkLogonRight |
Act as part of the operating system |
SeTcbPrivilege |
Add workstations to domain |
SeMachineAccountPrivilege |
Adjust memory quotas for a process |
SeIncreaseQuotaPrivilege |
Allow log on locally |
SeInteractiveLogonRight |
Allow log on through Remote Desktop Services |
SeRemoteInteractiveLogonRight |
Back up files and directories |
SeBackupPrivilege |
Bypass traverse checking |
SeChangeNotifyPrivilege |
Change the system time |
SeSystemtimePrivilege |
Change the time zone |
SeTimeZonePrivilege |
Create a page file |
SeCreatePagefilePrivilege |
Create a token object |
SeCreateTokenPrivilege |
Create global objects |
SeCreateGlobalPrivilege |
Create permanent shared objects |
SeCreatePermanentPrivilege |
Create symbolic links |
SeCreateSymbolicLinkPrivilege |
Debug programs |
SeDebugPrivilege |
Deny access to this computer from the network |
SeDenyNetworkLogonRight |
Deny log on as a batch job |
SeDenyBatchLogonRight |
Deny log on as a service |
SeDenyServiceLogonRight |
Deny log on locally |
SeDenyInteractiveLogonRight |
Deny log on through Remote Desktop Services |
SeDenyRemoteInteractiveLogonRight |
Enable computer and user accounts to be trusted for delegation |
SeEnableDelegationPrivilege |
Force shutdown from a remote system |
SeRemoteShutdownPrivilege |
Generate security audits |
SeAuditPrivilege |
Impersonate a client after authentication |
SeImpersonatePrivilege |
Increase a process working set |
SeIncreaseWorkingSetPrivilege |
Increase scheduling priority |
SeIncreaseBasePriorityPrivilege |
Load and unload device drivers |
SeLoadDriverPrivilege |
Lock pages in memory |
SeLockMemoryPrivilege |
Log on as a batch job |
SeBatchLogonRight |
Log on as a service |
SeServiceLogonRight |
Manage auditing and security log |
SeSecurityPrivilege |
Modify an object label |
SeRelabelPrivilege |
Modify firmware environment values |
SeSystemEnvironmentPrivilege |
Perform volume maintenance tasks |
SeManageVolumePrivilege |
Profile single process |
SeProfileSingleProcessPrivilege |
Profile system performance |
SeSystemProfilePrivilege |
Remove computer from docking station |
SeUndockPrivilege |
Replace a process level token |
SeAssignPrimaryTokenPrivilege |
Restore files and directories |
SeRestorePrivilege |
Shut down the system |
SeShutdownPrivilege |
Synchronize directory service data |
SeSyncAgentPrivilege |
Take ownership of files or other objects |
SeTakeOwnershipPrivilege |
This policy setting is used by Credential Manager during Backup and Restore. No accounts should have this privilege because it is assigned only to Winlogon. Saved credentials of users may be compromised if this privilege is given to other entities.
Possible values:
User-defined list of accounts
Not Defined
If an account is given this right, the user of the account can create an application that calls into Credential Manager and is then provided the credentials for another user.
Do not define the Access Credential Manager as a trusted caller policy setting for any accounts besides Credential Manager.
None. Not Defined is the default configuration.
This policy setting determines which users can connect to the computer from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
Possible values:
User-defined list of accounts
Not Defined
By default, the members of the following groups have this right on desktop computers and servers:
Administrators
Backup Operators
Everyone
Users
By default, the members of the following groups have this right on domain controllers:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access
Users who can connect from their computer to the network can access resources on target computers for which they have permission. For example, the Access this computer from the network user right is required for users to connect to shared printers and folders. If this user right is assigned to the Everyone group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups that are created by a default installation of Windows Server® 2008 R2 and Windows® 7 do not include the Everyone group. However, if a computer is upgraded to Windows Server 2008 R2 or Windows 7 and the original computer includes the Everyone group as part of its defined users and groups, that group is transitioned as part of the upgrade process, and it is present on the system.
Restrict the Access this computer from the network user right to only those users and groups who require access to the computer. For example, if you configure this policy setting for the Administrators and Users groups, users who log on to the domain can access resources that are shared from servers in the domain if members of the Domain Users group are included in the local Users group.
Note
If you are using IPsec to help secure network communications in your organization, ensure that a group that includes computer accounts is given this right. This right is required for successful computer authentication. Assigning this right to Authenticated Users or Domain Computers meets this requirement.
If you remove the Access this computer from the network user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the computers that they need to access the network.
This policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs.
Possible values:
User-defined list of accounts
Not Defined
The default value for this user right is Not Defined.
Users with the Act as part of the operating system user right can take complete control of the computer and erase evidence of their activities.
Restrict the Act as part of the operating system user right to as few accounts as possible, and it should not be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which has this privilege inherently. Do not create a separate account and assign this user right to it.
There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account.
This policy setting determines which users can add a computer to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to 10 workstations to the domain. Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of computers to the domain regardless of whether they have the Add workstations to domain user right.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Authenticated Users group have this user right.
The Add workstations to domain user right presents a moderate vulnerability. Users with this right could add a computer to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their computers, a user could install Windows on his or her computer and then add the computer to the domain. The user would know the password for the local administrator account, could log on with that account, and then add his or her domain account to the local Administrators group.
Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.
For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own computers, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and re-added to the domain.
This policy setting determines which users can adjust the maximum amount of memory that is available to a process. Although this capability is useful when you must tune computers, it has potential for abuse.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the following groups have this right:
Administrators
Local Service
Network Service
A user with the Adjust memory quotas for a process user right can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used to start a denial-of-service (DoS) attack.
Restrict the Adjust memory quotas for a process user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure.
Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Adjust memory quotas for a process user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM_<ComputerName>, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. Additionally, some applications might require a service account with this user right to run. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account. Before you remove a user account from the list of accounts with this right, ensure that those user accounts are not being used as service accounts.
This policy setting determines which users can start an interactive session on the computer. Users who do not have this right are still able to start a remote interactive session on the computer if they have the Allow logon through Remote Desktop Services right.
Possible values:
User-defined list of accounts
Not Defined
By default, the members of the following groups have this right on workstations and servers:
Administrators
Backup Operators
Users
By default, the members of the following groups have this right on domain controllers:
Account Operators
Administrators
Backup Operators
Print Operators
Server Operators
Any account with the Allow log on locally user right can log on to the console of the computer. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
For domain controllers, assign the Allow log on locally user right only to the Administrators group. For other server roles, you may choose to add Backup Operators as well as Administrators. For end-user computers, you should also assign this right to the Users group.
Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the Deny log on locally user right.
If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the Allow log on locally user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR_<ComputerName> account. You should confirm that delegated activities are not adversely affected by any changes that you make to the Allow log on locally user rights assignments.
This policy setting determines which users can log on to the computer through a Remote Desktop connection. You should not assign this user right to additional users or groups. Instead, it is a best practice to add users to or remove users from the Remote Desktop Users group to control who can open a Remote Desktop connection to the computer.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.
Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
For domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and end-user computers, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to either of these groups.
Warning
For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
Alternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the Deny log on through Remote Desktop Services user right.
Removal of the Allow log on through Remote Desktop Services user right from other groups or membership changes in these default groups could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
This policy setting determines which users can circumvent file and directory permissions to back up the computer. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply.
Possible values:
User-defined list of accounts
Not Defined
By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right.
Users who can back up data from a computer could take the backup media to a non-domain computer on which they have administrative privileges and restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set.
Restrict the Back up files and directories user right to members of the IT team who must back up organizational data as part of their day-to-day job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the Back up files and directories user right.
Changes in the membership of the groups that have the Back up files and directories user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations.
This policy setting determines which users can pass through folders without being checked for the Traverse Folder special access permission when they navigate an object path in the NTFS file system or in the registry. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders.
Possible values:
User-defined list of accounts
Not Defined
The default configuration for the Bypass traverse checking setting is to allow all users, including the Everyone group, to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk.
Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the Bypass traverse checking user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more information about this feature, see Access-based Enumeration.
The Windows operating systems, as well as many applications, were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the Bypass traverse checking user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS_WPG, IUSR_<ComputerName>, and IWAM_<ComputerName> accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration.
This policy setting determines which users can adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
Possible values:
User-defined list of accounts
Not Defined
By default on workstations and servers, members of the Administrators and Local Service groups have this right. On domain controllers, members of the Administrators, Server Operators, and Local Service groups have this right.
Users who can change the time on a computer could cause several problems. For example, time stamps on event log entries could be made inaccurate, time stamps on files and folders that are created or modified could be incorrect, and computers that belong to a domain may not be able to authenticate themselves or users who try to log on to the domain from them. Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a computer's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets.
The risk from these types of events is mitigated on most domain controllers, member servers, and end-user computers because the Windows Time Service automatically synchronizes time with domain controllers in the following ways:
All desktop client computers and member servers use the authenticating domain controller as their inbound time partner.
All domain controllers in a domain nominate the primary domain controller (PDC) emulator operations master as their inbound time partner.
All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner.
The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server.
This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate.
Restrict the Change the system time user right to users with a legitimate need to change the system time, such as members of the IT team.
There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source.
This policy setting determines which users can adjust the time zone that is used by the computer for displaying the local time, which is the computer's system time plus the time zone offset.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Administrators and Users group have this right.
Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones.
Countermeasures are not required because system time is not affected by this setting.
None. Not Defined is the default configuration.
This policy setting determines which users can create and change the size of a page file. Specifically, it determines whether they can specify a page file size for a particular drive in the Performance Options box located on the Advanced tab of the System Properties dialog box or through using internal application interfaces (APIs).
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Administrators group have this right.
Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced computer performance.
Restrict the Create a page file user right to members of the Administrators group.
None. Restricting this right to members of the Administrators group is the default configuration.
This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
Possible values:
User-defined list of accounts
Not Defined
This user right is used internally by the operating system; by default, it is not assigned to any user groups.
Warning
A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign any user accounts this right.
The operating system examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local computer or connect to a remote computer over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a DoS condition.
Do not assign the Create a token object user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned.
None. Not Defined is the default configuration.
This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Administrators group have this right, as do Local Service and Network Service accounts.
Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption.
Restrict the Create global objects user right to members of the local Administrators and Service groups.
None. Restricting the Create global objects user right to members of the local Administrators and Service groups is the default configuration.
This policy setting determines which users can create directory objects in the object manager. Users who have this capability can create permanent shared objects, including devices, semaphores, and mutexes. This user right is useful to kernel-mode components that extend the object namespace, and they have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right to any users.
Possible values:
User-defined list of accounts
Not Defined
Users who have the Create permanent shared objects user right could create new shared objects and expose sensitive data to the network.
Do not assign the Create permanent shared objects user right to any users. Processes that require this user right should use the System account, which already includes this user right, instead of a separate user account.
None. Not Defined is the default configuration.
This policy setting determines which users can create a symbolic link from the currently logged on computer to a file or folder in a different location.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the Administrators group have this right.
Users who have the Create symbolic links user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack.
Do not assign the Create symbolic links user right to standard users. Restrict this right to trusted administrators. You can use the fsutil command to establish a symlink file system setting that controls the kind of symbolic links that can be created on a computer. For more information about fsutil and symbolic links, type fsutil behavior set symlinkevaluation /? at an elevated command prompt.
None. Not defined is the default configuration.
This policy setting determines which users can attach to or open any process, even those they do not own. This user right provides access to sensitive and critical operating-system components.
Possible values:
User-defined list of accounts
Not Defined
The Debug programs user right can be exploited to capture sensitive computer information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert rootkit code. By default, the Debug programs user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
Remove the accounts of all users and groups that do not require the Debug programs user right.
If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production computers. If a problem arises that requires an application to be debugged on a production server, you can move the server to a different OU temporarily and assign the Debug programs user right to a separate Group Policy for that OU.
This policy setting determines which users are prevented from accessing this computer over the network.
Possible values:
User-defined list of accounts
Not Defined
Users who can log on to the computer over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
Assign the Deny access to this computer from the network user right to the following accounts:
ANONYMOUS LOGON
Built-in local Administrator account
Local Guest account
All service accounts
An important exception to this list is any service accounts that are used to start services that must connect to the computer over the network. For example, if you have configured a shared folder for Web servers to access and present content within that folder through a Web site, you may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
If you configure the Deny access to this computer from the network user right for other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected.
This policy setting determines which accounts are prevented from logging on by using a batch-queue tool, which is a feature in Windows 7 and Windows Server 2008 R2 that is used to schedule and start jobs automatically one or more times in the future. The ability to log on by using a batch-queue tool is needed for any accounts that are used to start scheduled jobs by means of the Task Scheduler.
Possible values:
User-defined list of accounts
Not Defined
Accounts that have the Deny log on as a batch job user right could be used to schedule jobs that could consume excessive computer resources and cause a DoS condition.
Assign the Deny log on as a batch job user right to the local Guest account.
If you assign the Deny log on as a batch job user right to other accounts, you could deny users who are assigned to specific administrative roles the ability to perform their required job activities. You should confirm that delegated tasks are not affected adversely.
This policy setting determines which users are prevented from logging on to the computer as a service.
Possible values:
User-defined list of accounts
Not Defined
Accounts that can log on as a service could be used to configure and start new unauthorized services, such as a keylogger or other malicious software. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative privileges can install and configure services, and an attacker who has already attained that level of access could configure the service to run with the System account.
We recommend that you not assign the Deny log on as a service user right to any accounts, which is the default configuration. Organizations that are extremely concerned about security may want to assign this user right to groups and accounts that they are certain will never need to log on as a service.
If you assign the Deny log on as a service user right to specific accounts, services may not start and a DoS condition could result.
This policy setting determines which users are prevented from logging on directly at the computer's console.
Possible values:
User-defined list of accounts
Not Defined
Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who must log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges.
Assign the Deny log on locally user right to the local guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
If you assign the Deny log on locally user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on computers that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected.
This policy setting determines which users are prevented from logging on to the computer through a Remote Desktop connection.
Possible values:
User-defined list of accounts
Not Defined
Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their privileges.
Assign the Deny log on through Remote Desktop Services user right to the built-in local guest account and all service accounts. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
If you assign the Deny log on through Remote Desktop Services user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the computer through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected.
This policy setting determines which users can change the Trusted for Delegation setting on a user or computer object in Active Directory® Domain Services (AD DS). Users and computers that are assigned this user right must also have write access to the account control flags on the object.
Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, both client and server must run under accounts that are trusted for delegation.
Possible values:
User-defined list of accounts
Not Defined
Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.
The Enable computer and user accounts to be trusted for delegation user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
Note
There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
None. Not Defined is the default configuration.
This policy setting determines which users can shut down a computer from a remote location on the network.
Possible values:
User-defined list of accounts
Not Defined
Any user who can shut down a computer could cause a DoS condition to occur. Therefore, this user right should be tightly restricted.
Restrict the Force shutdown from a remote system user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations center staff.
If, on a domain controller, you remove the Force shutdown from a remote system user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
This policy setting determines which accounts can be used by a process to generate audit records in the Security log. You can use the information in the Security log to trace unauthorized computer access.
Possible values:
User-defined list of accounts
Not Defined
Accounts that can write to the Security log could be used by an attacker to fill that log with meaningless events. If the computer is configured to overwrite events as needed, attackers could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log and it is not configured to automatically back up the log files, this method could be used to create a DoS condition.
Ensure that only the Local Service and Network Service accounts have the Generate security audits user right assigned to them.
None. Restricting the Generate security audits user right to the Local Service and Network Service accounts is the default configuration.
This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user cannot cause a client to connect—for example, by remote procedure call (RPC) or named pipes—to a service that they have created to impersonate that client, which could elevate the unauthorized user's permissions to administrative or system levels.
Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.
A user can impersonate an access token if any of the following conditions exist:
The access token that is being impersonated is for this user.
The user in this logon session logged on to the network with explicit credentials to create the access token.
The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need to have this user right assigned.
Possible values:
User-defined list of accounts
Not Defined
An attacker with the Impersonate a client after authentication user right could create a service, trick a client computer into connecting to the service, and then impersonate that computer to elevate the attacker's level of access to that of the computer.
On member servers, ensure that only the Administrators and Service groups (SERVICE, Local Service, and Network Service) have the Impersonate a client after authentication user right assigned to them.
In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the Impersonate a client after authentication user right to additional accounts that are required by those components, such as IUSR_<ComputerName>, IIS_WPG, ASP.NET, or IWAM_<ComputerName>.
This policy setting determines which users can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
Possible values:
User-defined list of accounts
Not Defined
By default, standard users have this right.
Increasing the working set size for a process decreases the amount of physical memory that is available to the rest of the system.
Increase user awareness of the impact of increasing a process working set and how to recognize when their system is adversely affected by changing this setting.
None. Allowing standard users to increase the process working set is the default configuration.
This policy setting determines which users can increase the base priority class of a process. It is not a privileged operation to increase relative priority within a priority class. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools.
Possible values:
User-defined list of accounts
Not Defined
A user who is assigned this user right could increase the scheduling priority of a process to Real-Time, which would leave little processing time for all other processes and could lead to a DoS condition.
Verify that only Administrators have the Increase scheduling priority user right assigned to them.
None. Restricting the Increase scheduling priority user right to members of the Administrators group is the default configuration.
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer.
Note
This right does not apply to Plug and Play device drivers.
Possible values:
User-defined list of accounts
Not Defined
Device drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malicious software that masquerades as a device driver. Administrators should exercise greater care and install only drivers with verified digital signatures.
Note
You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
Do not assign the Load and unload device drivers user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.
If you remove the Load and unload device drivers user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
This policy setting determines which accounts can use a process to keep data in physical memory, which prevents the computer from paging the data to virtual memory on disk. If you assign this user right, significant degradation of computer performance can occur.
Possible values:
User-defined list of accounts
Not Defined
Users with the Lock pages in memory user right could assign physical memory to several processes, which could leave little or no RAM for other processes and result in a DoS condition.
Do not assign the Lock pages in memory user right to any accounts.
None. Not Defined is the default configuration.
This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When an administrator uses the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the Log on as a batch job user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.
Possible values:
User-defined list of accounts
Not Defined
The Log on as a batch job user right presents a low-risk vulnerability. For most organizations, the default setting of Not Defined is sufficient. Members of the local Administrators group have this right by default.
You should allow the computer to manage this logon right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the Log on as a batch job user right for only the Local Service account.
For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure that the local IUSR_<ComputerName> and IWAM_<ComputerName> accounts have this logon right.
If you configure the Log on as a batch job setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS_WPG group and the IUSR_<ComputerName>, ASPNET, and IWAM_<ComputerName> accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality.
This policy setting determines which service accounts can register a process as a service. In Windows Server 2008 R2 and Windows 7, only the Network Service account has this right by default. Any service that runs under a separate user account must be assigned this user right.
Possible values:
User-defined list of accounts
Not Defined
Log on as a service allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.
By definition, the Network Service account has the Log on as a service user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right.
On most computers, restricting the Log on as a service user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Log on as a service user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account.
This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. Object access audits are not performed unless you enable them by using either the GPMC or the Auditpol command-line tool. A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more information about audit policy, see the Threats and Countermeasures Guide: Advanced Security Audit Policy section of this guide.
Possible values:
User-defined list of accounts
Not Defined
Anyone with the Manage auditing and security log user right can clear the Security log to erase important evidence of unauthorized activity.
Ensure that only the local Administrators group has the Manage auditing and security log user right.
Restricting the Manage auditing and security log user right to the local Administrators group is the default configuration.
Warning
If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from such a group, investigate whether any applications are dependent on this right.
This policy setting determines which users can modify the integrity label of objects, such as files, registry keys, or processes that are owned by other users. The integrity label is used by the Windows Integrity Controls (WIC) feature, and it is new to Windows 7. WIC keeps lower-integrity processes from modifying higher-integrity objects by assigning one of six possible labels to objects on the system. The following list describes the integrity levels from lowest to highest integrity:
Untrusted Default assignment for processes that are logged on anonymously.
Low Default assignment for processes that interact with the Internet.
Medium Default assignment for standard user accounts and any object not explicitly designated with a lower or higher integrity level.
High Default assignment for administrator accounts and processes that request to run using administrative rights.
System Default assignment for Windows kernel and core services.
Installer Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects.
Possible values:
User-defined list of accounts
Not Defined
By default, no user accounts are given this right.
Anyone with the Modify an object label user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower-level processes. Either of these states effectively circumvents the protection offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the Modify an object label right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to relabel.
Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need.
None. Not Defined is the default configuration.
This security setting determines who can modify firmware environment values. The effect of the setting depends on the processor.
On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.
On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties.
On all computers, this user right is required to install or upgrade Windows.
Note
This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
Possible values:
User-defined list of accounts
Not Defined
Anyone who is assigned the Modify firmware environment values user right could configure the settings of a hardware component to cause it to fail, which could lead to data corruption or a DoS condition.
Ensure that only the local Administrators group is assigned the Modify firmware environment values user right.
None. Restricting the Modify firmware environment values user right to the members of the local Administrators group is the default configuration.
This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.
Possible values:
User-defined list of accounts
Not Defined
A user who is assigned the Perform volume maintenance tasks user right could delete a volume, which could result in the loss of data or a DoS condition. Also, disk maintenance tasks can be used to modify data on the disk such as user rights assignments that might lead to escalation of privileges.
Ensure that only the local Administrators group is assigned the Perform volume maintenance tasks user right.
None. Restricting the Perform volume maintenance tasks user right to the local Administrators group is the default configuration.
This policy setting determines which users can sample the performance of an application process. Typically, you do not need this user right to use the Performance console. However, you do need this user right if System Monitor is configured to collect data through Windows Management Instrumentation (WMI).
Possible values:
User-defined list of accounts
Not Defined
The Profile single process user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as antivirus software or an intrusion-detection system. They could also identify other users who are logged on to a computer.
Ensure that only the local Administrators group is assigned the Profile single process user right.
If you remove the Profile single process user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
This policy setting determines which users can sample the performance of computer system processes. This privilege is required by the Performance console only if it is configured to collect data through WMI. Typically, you do not need this user right to use the Performance console. However, you must have this user right if System Monitor is configured to collect data through WMI.
Possible values:
User-defined list of accounts
Not Defined
The Profile system performance user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may also be able to determine what processes are active on the computer so that they could identify countermeasures to avoid, such as antivirus software or an intrusion detection system.
Ensure that only the local Administrators group is assigned the Profile system performance user right.
None. Restricting the Profile system performance user right to the local Administrators group is the default configuration.
This policy setting determines which users of a portable computer need to log on and then click Eject PC on the Start menu to undock the computer.
Possible values:
User-defined list of accounts
Not Defined
By default, members of the following group have this right:
- Local Administrators
Anyone who has the Remove computer from docking station user right can log on and then remove a portable computer from its docking station. If this setting is not defined, it has the same effect as if everyone were granted this right. However, the value of implementing this countermeasure is reduced by the following factors:
If attackers can restart the computer, they could remove it from the docking station after the BIOS starts but before the operating system starts.
This setting does not affect servers because they typically are not installed in docking stations.
An attacker could steal the computer and the docking station together.
Computers that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
Ensure that only the local Administrators group and the user account to which the computer is allocated are assigned the Remove computer from docking station user right.
By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted the right as necessary. If your organization's users are not members of the local Administrators groups on their portable computers, they cannot remove their own portable computers from their docking stations without shutting them down first. Therefore, you may want to assign the Remove computer from docking station privilege to the local Users group for portable computers.
This policy setting determines which parent processes can replace the access token that is associated with a child process.
Possible values:
User-defined list of accounts
Not Defined
Users with the Replace a process level token user right can start processes as other users whose credentials they know.
For member servers, ensure that only the Local Service and Network Service accounts have the Replace a process level token user right.
On most computers, restricting the Replace a process level token user right to the Local Service and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the Replace a process level token user right to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM_<ComputerName> accounts be explicitly granted this user right.
This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object.
Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system:
Traverse Folder/Execute File
Write
Warning
Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects. We strongly recommend that you only assign this user right to trusted users.
By default, this right is granted to the Administrators and Backup Operators groups. On domain controllers, it is also granted to the Server Operators group.
Possible values:
User-defined list of accounts
Not Defined
An attacker with the Restore files and directories user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a DoS condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide for continued access to the computer.
Note
Even if the following countermeasure is configured, an attacker could still restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
Ensure that only the local Administrators group is assigned the Restore files and directories user right unless your organization has clearly defined roles for backup and for restore personnel.
If you remove the Restore files and directories user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If your organization delegates the restoration of backups to a subset of your IT staff, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs.
This policy setting determines which users can shut down the local computer.
Possible values:
User-defined list of accounts
Not Defined
The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the Shut down the system user right requires the ability to log on to the server, you should be very careful about which accounts and groups that you allow to shut down a domain controller.
When a domain controller is shut down, it is no longer available to process logons, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess Flexible Single–Master Operations (FSMO) roles, you can disable key domain functionality, such as processing logons for new passwords—the primary domain controller (PDC) emulator role.
For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this privilege be removed from users that do not have a legitimate reason to restart the servers.
Ensure that only the Administrators and Backup Operators groups are assigned the Shut down the system user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers.
The impact of removing these default groups from the Shut down the system user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected.
This policy setting determines which users and groups have the authority to synchronize all directory service data, regardless of the protection on the objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services.
Possible values:
User-defined list of accounts
Not Defined
The Synchronize directory service data user right affects domain controllers; only domain controllers should be able to synchronize directory service data. Domain controllers have this user right inherently because the synchronization process runs in the context of the System account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses.
Ensure that no accounts are assigned the Synchronize directory service data user right.
None. Not Defined is the default configuration.
This policy setting determines which users can take ownership of any securable object in the computer, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
Possible values:
User-defined list of accounts
Not Defined
Any users with the Take ownership of files or other objects user right can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make that object. Such changes could result in exposure of data, corruption of data, or a DoS condition.
Ensure that only the local Administrators group has the Take ownership of files or other objects user right.
None. Restricting the Take ownership of files or other objects user right to the local Administrators group is the default configuration.