Tell a little about this 2000 Privilege.
Privilege provides a means for local administrators, which can control what permissions can have any permissions or what kind of system operation can be performed.
Interactive login, etc. Here we say privilege refers to the permissions required for special operations, such as backups! Once awarded some privilege,
These privileges will include in the user's secure access token. This is some basic concepts, you can see the following, it is easier to understand.
In order to manage the convenience of management, the corresponding privileges are always allocated, and they never change this privilege, which can be divided into built-in capabilities, standard user power, advanced user power on the NT system, but In 2000, the standard rights and advanced power have been replaced by user privileges, and only the rights of NT can be mapped to the server and user account (SeenableDelegationPriviege) and the computer from the Dock from Dock. The privileges in 2000.
Pay attention to some problems of 2000. Not all capabilities have matching rights, so it is impossible to completely match the built-in capabilities of the group. Because
The predefined assignment of specific group capabilities and cannot be copied to power, it is difficult to distinguish between tasks and can only force the concept of minimum privileges.
Then lack of a security structure at the level level, resulting in difficult to grant management. 2000 After the introduction of AD, you can grant the task.
The corresponding management levels of Domain and OUs.
Let's talk about some of some of some of the privileges, there should be 26, and there are 28.
SetCBPrivilege
Become a part of the OS
Allowing the process can be identified as the user, so you can access the corresponding resources like a user. Only the underlying authentication service requires such privileges so whether it is a workstation, stand-alone server, or DC does not set this to someone's right.
SemachineAccountPrivilege
Adding a workstation to the domain for this privilege can be enabled, you must ensure that this user is only in the domain controller local security policy.
Sebackupprivilege
Backup files and directories.
Allows users to bypass files and directory permissions to make backups. This privilege is only checked if the application is trying to access the NTFS backup API. By default, this privilege is assigned to Administrators and Backup Operators.
SechangenotifyPrivilege
Avoid traversal examination.
Allows the user to move back and forth, but cannot list the contents of the folder. By default, this privilege is given administrators.
Backup Operators, Power Users, Users, And Everyone, in other words, everyone has this right.
SESYSTEMTIMEPRIVILEGEGEGEGE
Change the system time.
By default, Administrators and Power Users have this right.
SecreatePageFilePrivilege
Create a paging file.
Allow users to create and change the size of a paging file. By default, only Administrators have this privilege.
SecreateTokenPrivilege
Create a token object.
Allows the process to call NtCreateToken () or other Token-Creating APIs created an access token.
SecreatePermanentPrivilege
Create a permanent shared object.
Allow the process to create a directory object in the 2000 Item Manager.
Sedebugprivilege
Debugger.
Allow users to connect to a debugger to debug any process. By default, Administrators have this privilege.
SeenableDelegationPrivilege
Trust computer and user account for delegation.
Allow users to change trust in order to delegate, only when the user or the computer is written, the account control flag of the object is written. Seremoteshutdownprivilege
Remote shutdown system.
Administrators have this privilege by default.
SeauditPrivilege
Generate a security audit.
Allow an application to create, generate, add a record in the security log.
SeincreasequoTaprivilege
Increase the limit.
Allow a write attribute to use other processes to achieve more processor limits, this privilege is conducive to system debugging, but there is also caused
The possibility of DOS.
SeincreaseBase ProrityPrivilege
Add scheduling priority.
Allows a process with write properties to use other processes to get more execution priority. Users with this privilege can change the scheduling priority of a process in the Task Manager. ADMINISTRATORS is the privilege by default.
SELOADDRIVERPRIVILEGEGE
Install and uninstall the device driver.
Allow users to install and uninstall the drivers of plug and playing devices, not the plug-and-play, unreasonable, but only
Administrators installed. Because the driver is run as a trusted program, this requires a high privilege. This privilege may be used to install malicious programs and disruptive access. By default, Administrators have this privilege.
SeecurityPrivilege
Manage audit and security logs.
Allow users to specify audits for object access. Users with this privilege can also empty the safety log. ADMINISTRATORS has this privilege by default
.
SESYSTEMENVIRONMENTPRIVILEGE
Modify the Firmware environment variable.
Allows the user to use the process through an API to set the system environment variable, alternatively, allow users to use System Properties to do this. By default, Administrators have this privilege.
SEPROFILESINGLEPROCESSPRIVILEGEGE
PROFILE SLR process.
Allows users to use performance monitors to monitor the Nonsystem process. By default, Administrators have this privilege.
SESYSTEMPROFILEPRIVILEGEGE
PROFILE system performance.
Allow users to use performance monitors to monitor the System process. By default, Administrators have this privilege.
SeundockPrivilege
Remove it in your computer.
Allow users to remove the computer from the EJECT PC slave, by default, the application, Power Users, and Users have this special
right.
SeassignprimaryTokenPrivilege
Replace a process level token.
Allow a parent process to replace the access token of the associated sub-process.
Serestoreprivilege
Restore files and directories.
Allow users to bypass files and directory permissions to recover backup files. ADMINISTRATORS and Backup Operators have this privilege by default.
SESHUTDOWNPRIVILEGEGEGEGE
Turn off the system.
Allow users to close the local computer. By default, Administrators, Backup Operators, Power Users, users have this privilege, but users in 2000 Server do not have this privilege.
SESYNCHAGENTPRIVILEGEGEGEGE
Synchronize directory service data.
Allow a process to provide a directory synchronization service, this privilege is only on the DC. ADMINISTRATORS and Localsystem accounts by default are privileged.
Setakeownershipprivilege
Get the file owner identity.
