Some Privilege for Windows 2000
Privilege provides a means for local administrators, which can control what permissions or what kind of system operation can be performed, such as allowing interactive logins, etc. Here we say privilege refers to the permissions required for special operations, such as backups! Once awarded some privilege,
These privileges will include in the user's secure access token. This is some basic concepts, you can see the following, it is easier to understand.
In order to manage the convenience of management, the corresponding privileges are always allocated, and they never change this privilege, which can be divided into built-in capabilities, standard user power, advanced user power on the NT system, but In 2000, the standard rights and advanced power have been replaced by user privileges, and only the rights of NT can be mapped to the server and user account (SeenableDelegationPriviege) and the computer from the Dock from Dock. The privileges in 2000. Pay attention to some problems of 2000. Not all capabilities have matching rights, so it is impossible to completely match the built-in capabilities of the group. Because
The predefined assignment of specific group capabilities and cannot be copied to power, it is difficult to distinguish between tasks and can only force the concept of minimum privileges.
Then lack of a security structure at the level level, resulting in difficult to grant management. 2000 After the introduction of AD, you can grant the task.
The corresponding management levels of Domain and OUs.
Let's talk about some of some of some of the privileges, there should be 26, and there are 28.
SetCBPrivilege is a part of the OS allows the process to be identified as a user, so you can access the corresponding resources like users. Only the underlying authentication service requires such privileges so whether it is a workstation, stand-alone server, or DC does not set this to someone's right.
SemachineAcCountPrivilege Add Workstation to the domain to enable this privilege, you must ensure that this user is only in the domain controller local security policy.
Sebackupprivilege backup files and directories. Allows users to bypass files and directory permissions to make backups. This privilege is only checked if the application is trying to access the NTFS backup API. By default, this privilege is assigned to Administrators and Backup Operators.
SechangeNotifyPrivilege avoids traversal inspection. Allows the user to move back and forth, but cannot list the contents of the folder. By default, this privilege is given administrators.
Backup Operators, Power Users, Users, And Everyone, in other words, everyone has this right.
SESYSTEMTIMEPRIVILEGE changes the system time. By default, Administrators and Power Users have this right.
SecreatePageFilePrivilege creates a paging file. Allow users to create and change the size of a paging file. By default, only Administrators have this privilege.
SecreateTokenPrivilege creates a token object. Allows the process to call NtCreateToken () or other Token-Creating APIs created an access token.
SecreatePermanentPrivilege creates a permanent shared object. Allow the process to create a directory object in the 2000 Item Manager.
SedebugPrivilege debugger. Allow users to connect to a debugger to debug any process. By default, Administrators have this privilege.
SeenableDelegationPrivilege is trustworthy computers and user accounts. Allow users to change trust in order to delegate, only when the user or the computer is written, the account control flag of the object is written. SeremoteshutDownprivilege Remote Off System. Administrators have this privilege by default.
SeauditPrivilege produces a security audit. Allow an application to create, generate, add a record in the security log.
SeincreasequoTaprivilege increases the limit. Allows a write property to use other processes to achieve more processor limits, this privilege is conducive to system debugging, but there are also possible possibilities that cause DOS.
SeincreaseBase ProrityPrivilege increases the schedule priority. Allows a process with write properties to use other processes to get more execution priority. Users with this privilege can change the scheduling priority of a process in the Task Manager. ADMINISTRATORS is the privilege by default.
SELOADDRIVERPRIVILEGE Installation and Uninstall Device Drivers. Allows users to install and uninstall the drivers of Plug and Play devices, not the plug-and-play unrelated privilege, but can only be installed by Administrators. Because the driver is run as a trusted program, this requires a high privilege. This privilege may be used to install malicious programs and disruptive access. By default, Administrators have this privilege.
SESESECURITYPRIVILEGE Management Audit and Security Logs. Allow users to specify audits for object access. Users with this privilege can also empty the safety log. ADMINISTRATORS has this privilege by default
.
SESYSTEMENVIRONMENTPRIVILEGE Modify the Firmware environment variable. Allows the user to use the process through an API to set the system environment variable, alternatively, allow users to use System Properties to do this. By default, Administrators have this privilege.
SeprofileSingleProcessPrivilege Profile single process. Allows users to use performance monitors to monitor the Nonsystem process. By default, Administrators have this privilege.
SESYSTEMPROFILEPRIVILEGE PROFILE system performance. Allow users to use performance monitors to monitor the System process. By default, Administrators have this privilege.
SeundockPrivilege removes in your computer. Allow users to remove the computer from the dock in the EJECT PC, by default, the ADMINISTRATORS, POWER USERS, and User have this profit.
SeassignPrimaryTokenPrivilege Replace a process level token. Allow a parent process to replace the access token of the associated sub-process.
SerystorePrivilege Restore files and directories. Allow users to bypass files and directory permissions to recover backup files. ADMINISTRATORS and Backup Operators have this privilege by default.
SESHUTDOWNPRIVILEGE Turn off the system. Allow users to close the local computer. By default, Administrators, Backup Operators, Power Users, users have this privilege, but users in 2000 Server do not have this privilege.
SESYNCHAGENTPRIVILEGE Synchronize Directory Service Data. Allow a process to provide a directory synchronization service, this privilege is only on the DC. ADMINISTRATORS and Localsystem accounts by default are privileged.
