User Rights

User rights are rules that determine the actions a user can perform. Unless the computer is a domain controller, they are computer-specific policies. If it is a domain controller, the computer policy extends to all domain controllers in the domain.

Note

In the current release of Windows NT, the set of user rights is defined by the system and cannot be changed. Future versions of Windows NT may allow software developers to define new user rights appropriate to their application.

User rights can be assigned to individual user accounts, but are usually (and more efficiently) assigned to groups. Predefined (built-in) groups have sets of user rights already assigned. Administrators usually assign user rights by adding a user account to one of the predefined groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group automatically gain all user rights assigned to the group account.

There are several user rights that administrators of high-security installations should be aware of and possibly audit. Of these, you might want to change the default permissions for two rights: Log on locally and Shut down the system.

Table 2.1 Default user rights that may require changing


User Right

Groups assigned this right by default

Recommended change

Log on locally
Allows a user to log on at the computer, from the computer's keyboard.

Administrators, Backup Operators, Everyone, Guests, Power Users, and Users

Deny Everyone and Guests this right.

Shut down the system (SeShutdownPrivilege)
Allows a user to shut down Windows NT.

Administrators, Backup Operators, Everyone, Power Users, and Users

Deny Everyone and Users this right.


The rights in the following table generally require no changes to the default settings, even in the most highly secure installations.

Table 2.2 Default user rights

Right

Allows

Initially assigned to

Access this computer from the network

A user to connect to the computer over the network.

Administrators, Everyone, Power Users

Act as part of the operating system
(SeTcbPrivilege)

A process to perform as a secure, trusted part of the operating system. Some subsystems are granted this right.

(None)

Add workstations to the domain (SeMachineAccountPrivilege)

Nothing. This right has no effect on computers running Windows NT.

(None)

Back up files and directories
(SeBackupPrivilege)

A user to back up files and directories. This right supersedes file and directory permissions.

Administrators, Backup Operators

Bypass traverse checking (SeChangeNotifyPrivilege)

A user to change directories and to access files and subdirectories, even if the user has no permission to access parent directories.

Everyone

Change the system time
(SeSystemTimePrivilege)

A user to set the time for the internal clock of the computer.

Administrators, Power Users

Create a pagefile
(SeCreatePagefilePrivilege)

Nothing. This right has no effect in current versions of Windows NT.

Administrators

Create a token object
(SeCreateTokenPrivilege)

A process to create access tokens. Only the Local Security Authority can do this.

(None)

Create permanent shared objects
(SeCreatePermanentPrivilege)

A user to create special permanent objects, such as \\Device, that are used within Windows NT.

(None)

Debug programs
(SeDebugPrivilege)

A user to debug various low-level objects, such as threads.

Administrators

Force shutdown from a remote system
(SeRemoteShutdownName)

A user to shut down a remote computer.

Administrators

Generate security audits
(SeAuditPrivilege)

A process to generate security-audit log entries.

(None)

Increase quotas
(SeIncreaseQuotaPrivilege)

Nothing. This right has no effect in current versions of Windows NT.

(None)

Increase scheduling priority
(SeIncreaseBasePriorityPrivilege)

A user to boost the execution priority of a process.

Administrators, Power Users

Load and unload device drivers
(SeLoadDriverPrivilege)

A user to install and remove device drivers.

Administrators

Lock pages in memory
(SeLockMemoryPrivilege)

A user to lock pages in memory so they cannot be paged out to a backing store, such as Pagefile.sys.

(None)

Log on as a batch job

Nothing. This right has no effect in current versions of Windows NT.

(None)

Log on as a service

A process to register with the system as a service.

(None)

Log on locally

A user to log on at the computer from the computer keyboard.

Administrators, Backup Operators, Guests, Power Users, Users

Manage auditing and security log
(SeSecurityPrivilege)

A user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log. This right does not allow a user to set system auditing policy using Audit on the User Manager Policy menu. Members of the Administrators group can always view and clear the security log.

Administrators

Modify firmware environment variables
(SeSystemEnvironmentPrivilege)

A user to modify system- environment variables stored in nonvolatile RAM on systems that support this type of configuration.

Administrators

Profile single process
(SeProfSingleProcess)

A user to perform profiling (performance sampling) on a process.

Administrators, Power Users

Profile system performance
(SeSystemProfilePrivilege)

A user to perform profiling (performance sampling) on the system.

Administrators

Replace a process-level token
(SeAssignPrimaryTokenPrivilege)

A user to modify a process's security-access token. This is a powerful right, used only by the system.

(None)

Restore files and directories
(SeRestorePrivilege)

A user to restore backed-up files and directories. This right supersedes file and directory permissions.

Administrators, Backup Operators

Shut down the system
(SeShutdownPrivilege)

A user to shut down Windows NT.

Administrators, Backup Operators, Power Users, Users

Take ownership of files or other objects
(SeTakeOwnershipPrivilege)

A user to take ownership of files, directories, printers, and other objects on the computer. This right supersedes permissions protecting objects.

Administrators