Assigning User Rights for Windows 2000, Server 2003, and XP continue...

If you are familiar with the complete list of rights used by Windows NT, you'll see that the privileges that Windows Server 2003 uses are similar to those, with a few additions. These are the privileges you can use with Windows Server 2003:

• Act as part of the operating system—This right is usually granted to subsystems of the operating system, and for running services. It allows the holder to act as a secure, trusted part of the operating system. This is not a right you would normally need to grant to a user. The LocalSystem account possesses this privilege by default. You won't see this account, however, when you list user accounts in the Active Directory.

• Add workstations to a domain—Users or groups granted this privilege and logged in at a domain controller can add client computers (but not domain controller computers) to the domain. This privilege is granted by default to users that are authenticated and are logged in to a domain controller, in which case the user holding this privilege can add up to 10 other computers to the domain.

• Adjust memory quotas for a process—If an account is granted this privilege, the user can make changes for the amount of memory a process can use.

• Bypass traverse checking—Theuser holding this right can read through a directory tree, even though she might not have access to all directories in the tree. Thus the user can be granted access to a file that exists in a directory (or subdirectory) for which the user is denied access. The user account granted this privilege, however, cannot list (view) the contents of directories that are bypassed to get to the file or directory for which access is granted.

• Create a pagefile—This right isusually granted to just the Administrators group. It allows th user to create additional page files using the System applet in the Control Panel. By creating page files on disks other than those used for the operating system or for applications, you can usually increase performance on the system. Note that a partition of a disk is not the same thing as a separate disk. Using separate partitions on the same disk will not give you the increased performance.

• Create a token object—Thisis the right to create a user logon token and is usually not granted to an individual user, but instead only to the local security authority (LSA) on the Windows computer.

• Create permanent shared objects—Thisis the right to create special resource structures,such as a directory, that are used internally by the operating system. Again, this is not a right generally needed by, or granted to, users.

• Debug programs—Thisright allows a programmer to do low-level debugging. It is helpful for applications developers and administrators. However, as in most networks, this right should be granted only on laboratory or development systems, and not on a production server. It is not a good idea to allow application development to be performed on the same computer that is a production server that network users make use of. The reason for this is obvious. The application being tested or created on a development system can potentially cause the server to crash, or corrupt data.

• Enable computer and user accounts to be trusted for delegation—TheTrusted for Delegation right for a user or computer can be performed by accounts that hold this right. The holder of this right can access resources on another computer—unless that computer has the Account Cannot Be Delegated control flag set. The account holding this right can use the authentication credentials of the client computer.

• Force shutdown from a remote source—Thisis a right you should grant sparingly. It allows a user to shut down another computer on the same network. If a computer or user's account becomes compromised because of security problems, this right can be used to shut down other computers, and thus be used to deny other computers access to those computers, resulting in a denial-of-service attack. A denial-of-service attack is an attack that attempts to overwhelm a computer by overloading it with resource requests. For example, a continuous stream of TCP connection attempts can quickly use up the memory data structures a computer can offer. By shutting down a computer that is undergoing a denial-of-service attack, you can begin to protect your network, especially if more than one computer is experiencing this type of attack.

• Generate security audits—This right is needed to create security audit log entries. This right generally is assigned not to a user, but instead to the operating system or applications.

• Increase scheduling priorities—This gives the capability to boost the scheduling priority of a process. Administrators have this right by default. However, increasing the priority of one process can potentially allow a process that is making heavy use of system resources to dramatically slow down or lock out other processes. To use this right, the Task Manager utility is used. Do not give this right to typical users who do not understand that raising the priority for their session can potentially severely impact other users of the computer. For all practical purposes, Windows server operating systems can adjust priorities as needed. The administrator can also use the System Applet in the Control panel to grant priorities to foreground (applications) or network services, without having to modify process priorities on a process-by-process basis.

• Load and unload device drivers—This gives the capability to load and unload device drivers (as well as other kernel mode code). Because kernel processes are the heart of the operating system, you should not grant this right to ordinary users. This right, instead, is granted to Administrators by default.

• Lock pages in memory—This right gives the capability to lock pages into physical memory so that users do not get swapped out to the pagefile during normal virtual memory operations. This is useful for a process running a real-time application, but this right is not generally given to ordinary users.

• Manage auditing and security log—This right lets the user determine those objects and resources that will be recorded in the security log file, and view the events produced by the auditing.

• Modify firmware environment variables—A user granted this right can modify firmware values stored in nonvolatile RAM of computers that are non-X86 computers (such as Intel or AMD). For example, on X86 computers, the user holding this right can modify only the Last Known Good Configuration setting. For Itanium computers, users granted this right can run the bootcfg.exe application and manage the Startup and Recovery properties for the computer.

• Profile a single process—This allows the user to set the collection information about a non- system process, used for measuring performance. The user who has this right can use the Performance Monitor to view the performance of non-system processes running on the computer. Administrators have this right by default.

• Profile system performance—Similar to the preceding right, users who hold this right can perform the same functions, including the right to set or view system processes.

• Remove computer from docking station—This right enables a user account to gracefully remove a computer from a docking station without having to first log on to the computer. By default, this right is not granted to any user.

• Replace a process-level token—This right is usually restricted to the operating system, which gives the user the capability to modify a process's security access token.

• Restore files and directories—A user with this right can traverse directories and restore files and directories, or similar objects. This means that the user can restore files or entire directories, whether or not the user has permissions to access those files or directories when performing duties other than backup or restore functions. The user holding this right cannot access files or directories using this right to examine or change the contents of those files or directories. This right applies only to the restoring files or directories.

• Shut down the system—Users holding this right can shut down the system. The user must be logged on to the system locally to perform this function.

• Synchronize directory service data—This gives the capability to synchronize all directory services. There is no account that possesses this right by default.

• Take ownership of files or other objects—Creators of files, directories, and other objects are in most cases the owners of these objects. Users holding this right can take ownership from the owner. This is useful when a user has left the company, and access is needed to the files, directories, or other objects.

Each of the previous privileges can be enabled for specific user accounts or groups. Some of these rights, however, are granted to groups by default. For example, the Backup Operators group can use the backup utility to back up files to offline storage, despite the protections that are in place for these files. This does not, however, give the Backup Operators group the capability of viewing or modifying files. Members of this group can just use the backup utility to save files to another media, such as a tape.