Windows privileges can be assigned to individual user accounts and groups. Administrators can assign privileges to a user with the chusr or editusr command, or to a group with the chgrp or editgrp command. Users who are added to a group automatically gain all the privileges assigned to the group.
You can use the name of the privilege, or user right, exactly as it appears in the list, or you can add Se to the beginning and Privilege to the end of the name (except for BatchLogon, InteractiveLogon, NetworkLogon, and ServiceLogon, to which you add Right instead of Privilege).
Following are the privileges available in Windows.
Privilege |
Default Assignment |
Description |
---|---|---|
AssignPrimaryToken |
None |
Allows a user to modify the security access token of a process. |
Audit |
None |
Generates security audits. |
Backup |
Administrators Backup Operators |
Allows a user to back up files and directories. This privilege replaces all file and directory permissions. |
BatchLogon |
None |
Allows a user to log in as a batch job. |
ChangeNotify |
Everyone |
Usually, rights to files and subdirectories flow downward; that is, users who do not have rights to a specific directory do not also have rights to access the subdirectories below that directory. This privilege allows a user to access subdirectories, even if that user has no rights to the parent directories. |
CreatePagefile |
None |
Allows a user to create a page file. Security is determined by a user's access to the key: \CurrentControlSet\Control\ |
CreatePermanent |
None |
Allows a user to create special permanent objects, such as \\Device |
CreateToken |
None |
Creates a token object. Only the Local Security Authority can do this. The Local Security Authority ensures that the user has permission to access the system. It is not possible to audit the use of this right. For C2 certification, we recommend that it not be assigned to any user. |
Debug |
Administrator |
Debugs programs or objects such as threads. You cannot audit this privilege. For C2 certification, we recommend that it not be assigned to any user, including system administrators. |
IncreaseBasePriority |
Administrators |
Allows a user to increase the execution priority of a process. |
IncreaseQuota |
None |
Allows a user to increase the object quotas. |
InteractiveLogon |
Most groups |
Allows the user to log in interactively. |
LoadDriver |
Administrators |
Allows a user to install and remove device drivers. |
LockMemory |
None |
Allows a user to lock pages in the memory of the computer so the pages cannot be automatically backed up on a backing store like PAGEFILE.SYS. |
MachineAccount |
None |
Allows a user to add a new machine to a domain. |
NetworkLogon |
Everyone |
Allows users to connect to a computer from anywhere in the network. This means users do not have to be at a specific place or terminal to log into their computer. |
ProfileSingleProcess |
Administrators |
Allows a user to use performance‑monitoring tools in order to monitor the performance of a single process. |
RemoteShutdownPrivilege |
Administrators |
Allows a user to shut down a Windows system remotely. |
Restore |
Administrators |
Allows a user to restore backed‑up files and directories. This right replaces all file and directory permissions. |
Security |
Administrators |
Allows a user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log. Note: This privilege does not allow the user to set system auditing policies using the Audit command from the Policy menu in Microsoft's User Manager. Administrators always have the ability to view and clear the security log. |
ServiceLogon |
None |
Enables a process to register with the system as a service. |
Shutdown |
Administrators |
Allows the user to shut down the system from the system console. |
SystemEnvironment |
Administrators |
Allows a user to modify the system environment variables. This enables the user to set up the system environment at their workstation, and ensure that all other users working on the same workstation use the same setup. |
SystemProfile |
Administrators |
Allows a user to perform profiling (performance sampling) on the system. |
SystemTime |
Administrators |
Allows a user to set the time for the internal clock of the computer. |
TakeOwnership |
Administrators |
Allows a user to become the owner of files, directories, printers, and other objects on the computer. This right replaces all permissions protecting objects. |
Tcb |
None |
Enables a process to perform as a secure, trusted part of the operating system. Some subsystems are granted this privilege. |
Copyright © 2013 CA Technologies.
All rights reserved.
|
|