User rights are rules that determine the actions a user can perform. Unless the computer is a domain controller, they are computer-specific policies. If it is a domain controller, the computer policy extends to all domain controllers in the domain.
Note
In the current release of Windows NT, the set of user rights is defined by the system and cannot be changed. Future versions of Windows NT may allow software developers to define new user rights appropriate to their application.
User rights can be assigned to individual user accounts, but are usually (and more efficiently) assigned to groups. Predefined (built-in) groups have sets of user rights already assigned. Administrators usually assign user rights by adding a user account to one of the predefined groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group automatically gain all user rights assigned to the group account.
There are several user rights that administrators of high-security installations should be aware of and possibly audit. Of these, you might want to change the default permissions for two rights: Log on locally and Shut down the system.
Table 2.1 Default user rights that may require changing
| Groups assigned this right by default | Recommended change | |
Log on locally | Administrators, Backup Operators, Everyone, Guests, Power Users, and Users | Deny Everyone and Guests this right. | |
Shut down the system (SeShutdownPrivilege) | Administrators, Backup Operators, Everyone, Power Users, and Users | Deny Everyone and Users this right. |
The rights in the following table generally require no changes to the default settings, even in the most highly secure installations.
Table 2.2 Default user rights
Right | Allows | Initially assigned to | |||
Access this computer from the network | A user to connect to the computer over the network. | Administrators, Everyone, Power Users | |||
Act as part of the operating system | A process to perform as a secure, trusted part of the operating system. Some subsystems are granted this right. | (None) | |||
Add workstations to the domain (SeMachineAccountPrivilege) | Nothing. This right has no effect on computers running Windows NT. | (None) | |||
Back up files and directories | A user to back up files and directories. This right supersedes file and directory permissions. | Administrators, Backup Operators | |||
Bypass traverse checking (SeChangeNotifyPrivilege) | A user to change directories and to access files and subdirectories, even if the user has no permission to access parent directories. | Everyone | |||
Change the system time | A user to set the time for the internal clock of the computer. | Administrators, Power Users | |||
Create a pagefile | Nothing. This right has no effect in current versions of Windows NT. | Administrators | |||
Create a token object | A process to create access tokens. Only the Local Security Authority can do this. | (None) | |||
Create permanent shared objects | A user to create special permanent objects, such as \\Device, that are used within Windows NT. | (None) | |||
Debug programs | A user to debug various low-level objects, such as threads. | Administrators | |||
Force shutdown from a remote system | A user to shut down a remote computer. | Administrators | |||
Generate security audits | A process to generate security-audit log entries. | (None) | |||
Increase quotas | Nothing. This right has no effect in current versions of Windows NT. | (None) | |||
Increase scheduling priority | A user to boost the execution priority of a process. | Administrators, Power Users | |||
Load and unload device drivers | A user to install and remove device drivers. | Administrators | |||
Lock pages in memory | A user to lock pages in memory so they cannot be paged out to a backing store, such as Pagefile.sys. | (None) | |||
Log on as a batch job | Nothing. This right has no effect in current versions of Windows NT. | (None) | |||
Log on as a service | A process to register with the system as a service. | (None) | |||
Log on locally | A user to log on at the computer from the computer keyboard. | Administrators, Backup Operators, Guests, Power Users, Users | |||
Manage auditing and security log | A user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log. This right does not allow a user to set system auditing policy using Audit on the User Manager Policy menu. Members of the Administrators group can always view and clear the security log. | Administrators | |||
Modify firmware environment variables | A user to modify system- environment variables stored in nonvolatile RAM on systems that support this type of configuration. | Administrators | |||
Profile single process | A user to perform profiling (performance sampling) on a process. | Administrators, Power Users | |||
Profile system performance | A user to perform profiling (performance sampling) on the system. | Administrators | |||
Replace a process-level token | A user to modify a process's security-access token. This is a powerful right, used only by the system. | (None) | |||
Restore files and directories | A user to restore backed-up files and directories. This right supersedes file and directory permissions. | Administrators, Backup Operators | |||
Shut down the system | A user to shut down Windows NT. | Administrators, Backup Operators, Power Users, Users | |||
Take ownership of files or other objects | A user to take ownership of files, directories, printers, and other objects on the computer. This right supersedes permissions protecting objects. | Administrators |