This module content
This module contains a table describing the default user permission assignment on the Microsoft® Windows 2000® operating system and provides a list of recommended changes in a module Windows 2000 security configuration.
Back to top
aims
Using this module can be implemented:
• Understand the default user rights assignment on the Windows 2000 system. • Understand changes to the default rights assignment suggestions to provide a safer environment.
Back to top
Scope of application
This module is suitable for the following products and technologies:
• Microsoft Windows 2000 operating system • Microsoft Windows 2000 operating system domain controller • Microsoft Windows 2000 domain
Back to top
How to use this module
Use this module to understand the default user rights assignment settings of Windows 2000, and check the recommendations for the default settings to create a safer environment.
In order to fully understand this module content, please
• Read the module Windows 2000 security configuration. This module provides detailed documentation information about these security settings, which can be used to improve the security of Windows 2000. • Read Module Windows 2000 Default Security Policy settings. This module describes the default security policy settings applied to different Windows 2000 system roles. • Read Module Windows 2000 Security Configuration Tools. This module focuses on Windows 2000 tools that can be used to apply security configuration. • Use the checklist Windows 2000 security configuration checklist. This module contains the security checklist that can be used when evaluating the system to ensure that all configuration changes have been completed. • Use the included "how" module:
• How to securely install Windows 2000 • How to configure and apply security templates in Windows 2000
Back to top
User permissions and privileges
Table 1 describes the default user privileges assigned to the user on a stand-alone Windows 2000 Professional and Server systems and on the Windows 2000 domain controller. At the same time, the default user privileges in the domain security policy (all user privileges that are not defined by default) are introduced. The local security policy settings for assignment overlay domain members in the domain security policy.
You can find the user permission / privilege assignment in the Local Security Policy and Domain Security Policy graphical user interface, as shown below:
• Windows 2000 Professional: Administrative Tools -> "Local Security Policy" -> Security Settings / Local Policy / User Rights Assignment • Windows 2000 Server: Administrative Tools -> Local Security Policy -> Security Settings / Local Policies / User Rights Assignment • Windows 2000 Domain Controller: Administrative Tools -> Domain Controller Security Policy -> Windows Settings / Security Settings / Local Policy / User Rights Assignment "Administrative Tools" -> Domain Security Policy > Windows Settings / Security Settings / Local Policy / User Rights Assignment
Table 1: User authority and privilege
User Permissions / Privilege Description In a separate Windows 2000 PROFESSIONAL computer, the group assigned to this Right limit in a separate Windows 2000 Server computer will be sent to the group of this rights in the Windows 2000 domain security policy (located on the domain controller). The group assigned to the group assigned by the group assigned to the Group to access this authority from the network (SenetworkLogonRights) determined to access this computer (SenetworkLogonRights) determined from the network on the Windows 2000 domain controller with the AD service (Domain Controller Security Policy). Go to the computer. Default: AdministratorsBackup OperatorsPower Usersusers Everyone is recommended to change:. AdministratorsBackup OperatorsPower UsersUsersAuthen.User default: AdministratorsBackup OperatorsPower UsersUsersEveryone the proposed change: AdministratorsBackup OperatorsPower UsersUsersAuthen.Users default :( undefined) Recommendation: Do not change the default: AdministratorsAuthen.UsersEveryone the proposed change: AdministratorsAuthen.Users as SebatchLogonRight allows users to log in using batch queue function. By default: No recommended: no default: No suggestions: no default: (undefined) Suggestions: Do not change the default: No recommended: SEINTERACTIVELOGONRIGHT Allow users to log in locally locally. Default: AdministratorsBackup OperatorsPower UsersUsers computer name / Guest recommendation change: AdministratorsBackup OperatorsPower UsersUsers default: AdministratorsBackup OperatorsPower UsersUsers computer name / Guest computer name / TsInternetUser the proposed change: AdministratorsBackup OperatorsPower UsersUsers default :( undefined) Recommendation: Do not change the default: AdministratorsAccount OperatorsBackup OperatorsPrint OperatorsServer OperatorStSinterNetUser recommends changes: Administratorsaccount OperatorsBackup Operatorsprint Operatorsserver Operators as service login (SSERVICELOGONRIGHT) Allows the security subject as a service login. The service can be configured to run the Localsystem account, which has a built-in permission that can be logged in. This level must be assigned to any service running under the standalone account. By default: No recommended: No recommended: no change: no change: (undefined) suggestion: Do not change the default: Non-recommended: No change Refuse to access this computer (SedenyNetworkLogonRight) Prevent users from connecting to this connection from the network computer.
By default: No suggestions: no default: No suggestions: no default: (undefined) Suggestion: Do not change the default: Non-recommended: SedenyInteractiveLogonRight to prevent users from locally log in to the computer. Default: Non-recommended: No default: No suggestions: no default: (undefined) Suggestions: Do not change the default: No recommended: SedenybatchLogonRight to prevent users from logging in through the batch queue function. By default: No recommended: no default: No recommended: no default: (undefined) suggestion: Do not change the default No recommended: No rejection as a service login (SedenyServiceLogonRight) Prevent users from logging in as a service. By default: No recommended: no recommendation: No recommended: No default: (undefined) Suggestions: No change Default: No recommended: SETCBPRIVILEGE) Allow the process as the user to verify, with this access The same resources available. This service is only required for low-level verification services. By default, potential access is not limited to the range of users because the calling process may require the rest of the access token. More importantly, calling processes can build an anonymous tokens that provide any access. Moreover, anonymous tokens do not provide primary identity for tracking events in audit logs. By default, the localsystem account uses this privilege. Default: No suggestions: No content: No recommended: No default: (Uneastened) Suggestions: Do not change the default: No recommended: SemachineAcCountPrivilege Allow users to add a computer to a specific domain. In order to make this permission, it must be assigned to the user as part of the local security policy of the domain controller in the domain. Users with this permission can add up to 10 workstations to the domain. In Windows 2000, the behavior of this privilege can be replicated through the "Creating Computer Object" permissions of the organization and the default computer container in Microsoft Active Directory®. Users using Create Computer Objects privileges can add a number of unlimited computers to the domain. Default: No recommended: No recommended: No change: No change: (Uneascent) Suggestions: Do not change the default: Authen.users recommends changes: Domain admin Spring files and directory (SEBACKUPPRIVILEGE) Allow users to bypass files and directory permissions Backup system. This privilege is only selected when the application is trying to access the application interface through the NTFS. Otherwise, normal files and directory permissions are applied.
Default: AdministratorsBackup Operators Recommendation: Do not change the default: AdministratorsBackup Operatorsv suggestion: do not change the default :( undefined) Recommendation: Do not change the default: AdministratorsBackup OperatorsServer Operators Recommendation: Do not change the Bypass traverse checking (SeChangeNotifyPrivilege) allows the user to any Microsoft Windows file system Or when the navigation object path in the registry is not accessed by the user without access. This privilege does not allow the user to list the contents of the folder; it only allows the user to traverse the folder. Default: AdministratorsBackup Operators Power UsersUsersEveryone advice: do not change the default: AdministratorsvBackup Operators Power UsersUsersEveryone advice: do not change the default :( undefined) Recommendation: Do not change the default: AdministratorsAuthen.UsersEveryone advice: do not change change the system time (SeSystemTimePrivilege) allows the user to set the internal computer Time of the clock. Default: Administrators Power Users advice: do not change the default: Administrators Power Users Recommendation: Do not change the default :( undefined) Recommendation: Do not change the default: AdministratorsServer Operators Recommendation: Do not change to create a token object (SeCreateTokenPrivilege) allows a process to create other or by calling NtCreateToken Token's API to create an access token. By default: No recommended: No recommended: no change: no change: (Uneascent) Suggestions: no change Default: Non-recommended: Creating a Permanent Shared Object (SecreatePrivilege) Allow the process to create a directory object in Windows 2000 Object Manager . This privilege is very useful for the kernel mode components of the expansion of the Windows 2000 object namespace. Components running in kernel mode have this privilege; do not have to assign it to these components. Default: No suggestions: No default: No recommended: no default: (Unexpected) Suggestions: No Constitution: No recommended: SECREATEPAGEFILEPRIVILEGE Allows the user to create a page file and change its size. Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) Suggested changes: administrators Default: Administrators suggestion: No to change the debugprivilege Allow users to attach the debugger to any process.
Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) suggestions: Do not change the default: Administrators suggestion: Do not change allow computer and user accounts to be trusted for appointment (seenabledeegationprivilege) Allow users to be in Active Directory Change the "already delegated trust" settings for users or computers. Moreover, users or computers granted this privilege must have write permissions on the account control tag on the object. Default: No suggestions: no default: No recommended: No default: (Unexpected) Suggestions: Do not change the default: Administrators suggest: Do not change from the remote system forced shutdown (SereMoteshutDownPrivilege) Allow users to remotely shut down on the network. Default: Administrators suggest: Administrators suggestion: Administrators suggestions: No default: (Uneascent) Recommended changes: Administrators Default: Administrators Server Operators suggestions: Do not change Generate Security Audit (SeauditPrivilege) Allows the process to generate entries in the security log. Security logs are used to track unauthorized system access and other security-related activities. By default: No recommended: No recommended: No change default: (undefined) Suggestions: Do not change the default: No suggestions: SEINCREASEQUOTAPRIVILEGE) Allows the process of "write properties" permission to another process Assigned processor quotas for other processes. This privilege is very useful for system optimization, but may be abused, such as in the denial of service attack. Default: Administrators suggest: Administratorsv suggestion: Do not change the default: (Uneasigned) Recommended changes: administrators Default: Administrators suggestion: Do not change add progress priority (seincreasebaseprioritypriVilege) Allow another process with "write properties" permission to another process The process adds the execution priority of other processes. Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) Recommended changes: administrators Default: Administrators suggest: Do not change the loading and unloading device driver (SELOADDRIVILEGE) Allow users to install and uninstall Plug and Play devices driver. This privilege is not applicable to device drivers that are unsettled; only Administrators can install these device drivers. Note that the device driver is run as a trusted (highly privileged) process; users can make them disruptive access by installing malicious programs, and abuse this privilege.
Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) Recommended changes: administrators Default: Administrators suggest: Do not change the memory MRIMORYPRIVILEGE Allow the process to save the data in physical memory, this, this, It is prevented that the system from storeing data paginity on virtual memory. Assigning this privilege may reduce system performance. By default: No recommended: No recommends: No change: No change: (Uneascent) Suggestions: Do not change the default: Non-recommended: SESECURITYPRIVILEGE "Allows users to specify files, Active Directory objects, and registry Object access review options such as individual resources. In fact, object access review can be performed only after the object access review is enabled in the Audit Policy. Users with this privilege can also view and clear the security log from the event viewer. Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) Suggested changes: administrators Default: Administrators suggest: Do not change the modified firmware value value (sessystemenvironmentprivilege) Allow the process through the API or user through the system properties " The program modifies the system environment variable. Default: Administrators Recommendation: Do not change the default: Administrators Recommendation: Do not change the default :( undefined) PROPOSED CHANGE: Administrators Default: Administrators Recommendation: do not change the configuration of a single process (SeProfileSingleProcessPrivilege) allows users to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor The performance of non-system processes. Default: AdministratorsPower Users advice: do not change the default: AdministratorsPower Usersv suggestion: do not change the default :( undefined) Recommendation: Do not change the default: Administrators Recommendation: do not change the configuration of system performance (SeSystemProfilePrivilege) allows users to run Microsoft Windows NT and Windows 2000 performance monitoring Tool monitoring system process performance. Default: Administrators suggest: Administrators suggestion: Do not change the default: (undefined) Recommended change: Administrators Default: Administrators Suggestions: Do not change from the Plot Workshop Remove Computer (SeuePrivilege) Allows the portable computer to pass Click " The "pop-up PC" on the start "menu releases the lock to the computer.
Default: AdministratorsPower UsersUsers suggestion: do not change the default: AdministratorsPower UsersUsers suggestion: do not change the default :( undefined) Recommendation: Do not change the default: Administrators Recommendation: Do not change Replace a process level token (SeAssignPrimaryTokenPrivilege) allows the parent process to replace relating to child processes linked Access token. By default: No recommended: No recommended: No change: No change: Suggestions: No change: No recommended: Do not change the restore file and directory (SerystorePrivilege) Allow users to bypass the files and directory Files and directory permissions, and set any valid security main body to the owner of an object. Default: AdministratorsBackup Operators Recommendation: Do not change the default :: AdministratorsBackup Operators Recommendation: Do not change the default :( undefined) Recommendation: Do not change the default: AdministratorsBackup OperatorsServer Operators Recommendation: Do not change down the system (SeShutdownPrivilege) allows the user to shut down the local computer. Default: AdministratorsBackup OperatorsPower UsersUsers the proposed change: AdministratorsBackup OperatorsPower UsersAuthenticated Users Default: AdministratorsBackup OperatorsPower Users recommend changes: AdministratorsBackup OperatorsPower UsersAuthenticated Users default :( undefined) Recommendation: Do not change the default: AdministratorsAccount OperatorsBackup OperatorsServer OperatorsPrint Operators Recommendation: Do not change the directory synchronization service data ( SESYNCAGENTPRIVILEGE) Allows the service to provide directory synchronization services. This privilege is only available on the domain controller. Domain controllers To use an LDAP directory synchronous service, there must be this privilege. It enables owners to read all objects and properties in the directory, regardless of whether these objects and attributes are protected. By default, it is assigned to the Administrator and localsystem account on the domain controller: No recommended: No change default: no suggestion: Do not change the default: (undefined) suggestion: Do not change the default: Administrator suggestion: Do not change the acquisition file Or Ownership of Other Objects Allows users to get ownership of any secure object in the system, including Active Directory objects, files, and folders, printers, registry keys, processes, and threads.
