User Rights. 7.5.15 vjj 1

Similar documents
Exam Ref Implementing an Advanced Server Infrastructure. Steve Suehring

SIEMENS. Sven Lehmberg. ZT IK 3, Siemens CERT. Siemens AG 2000 Siemens CERT Team / 1

Windows Server 2008/2012 Server Hardening

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

About Microsoft Windows Server 2003

Objectives. At the end of this chapter students should be able to:

PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Managing and Maintaining a Windows Server 2003 Network Environment

Belarc Advisor Security Benchmark Summary

Active Directory. Users & Computers. Group Policies

Web. Security Options Comparison

Windows Operating Systems. Basic Security

Desktop Web Access Single Sign-On Configuration Guide

Computer Security: Principles and Practice

Windows security for n00bs part 1 Security architecture & Access Control

Defense Security Service Office of the Designated Approving Authority

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

WHITE PAPER. Best Practices for Configuring PATROL for Microsoft Exchange Servers

NETWRIX PASSWORD MANAGER

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

SOLAARsecurity. Administrator Software Manual Issue 2

SQL Server Hardening

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

Security Options... 1

NETWRIX IDENTITY MANAGEMENT SUITE

rev. 31 (applies to CyBro OPC Server v3.0.4 and later)

Locking down a Hitachi ID Suite server

DC Agent Troubleshooting

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Paul McFedries. Home Server 2011 LEASHE. Third Edition. 800 East 96th Street, Indianapolis, Indiana USA

SB34: Event Logs Don t Lie: Step-by-Step Security. Rick Simonds, Sage Data Security

Pcounter Web Report 3.x Installation Guide - v Pcounter Web Report Installation Guide Version 3.4

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Local Accounts and Privileges in Likewise Storage Server Rafal Szczesniak EMC Isilon

NETWORK ADMINISTRATION USING MICROSOFT (310) REGIONAL 2014

InventoryControl for use with QuoteWerks Quick Start Guide

Microsoft Solutions for Security and Compliance. Windows Server 2003 Security Guide

Windows 2000/Active Directory Security

Exam: QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Installation Notes for Outpost Network Security (ONS) version 3.2

UserLock advanced documentation

Important Windows Files Folders and Tools Author: Jialong He

Windows Server 2012 Directory Partition Containers- A Walk Through

Soonr Workplace Enterprise Plan Overview

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Security and Rights Delegations for the Password Reset PRO Master Service Applies to software versions 2.x.x and 3.x.x

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Workflow Templates Library

Windows IIS Server hardening checklist

Remote Administration

Full Disk Encryption Agent Reference

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

1. Installation Overview

APPENDIX I Basic Windows NT Server 4.0 Installation and Configuration

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

DCOM settings for computer-to-computer communication between OPC servers and OPC clients

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Microsoft" Windows8 Home Server

Using DC Agent for Transparent User Identification

Using RADIUS Agent for Transparent User Identification

Aras Innovator Authentication Setup

Microsoft Baseline Security Analyzer

Adagio and Terminal Services

ProficyTM. HMI/SCADA - ifix I MPLEMENTING S ECURITY

Advanced Diploma In Hardware, Networking & Server Configuration

Windows clustering glossary

Installation Overview

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

ILTA HANDS ON Securing Windows 7

GE Measurement & Control. Cyber Security for NEI 08-09

MICROSOFT EXAM QUESTIONS & ANSWERS

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

CS WinOMS Practice Management Software Server Migration Help Guide

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

QUANTIFY INSTALLATION GUIDE

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

OPC Server Machine Configuration

DIGILIANT Windows Storage Server 2012

Troubleshooting CallManager Problems with Windows NT and Internet Information Server (IIS)

NetWrix USB Blocker Version 3.6 Quick Start Guide

VERITAS Backup Exec TM 10.0 for Windows Servers

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Online Backup - Installation and Setup

Transcription:

User Rights 7.5.15 vjj 1

User Rights některá oprávnění nelze (snadno) vyjádřit pomocí přístupových práv k objektům user rights 7.5.15 vjj 2

7.5.15 vjj 3 User Rights User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system-wide resources on a computer and can override the permissions that are set on particular objects.

7.5.15 vjj 4 Logon Rights control how security principals are allowed access to the computer ano nebo ne allow logging on to the computer deny logging on to the computer. Use a deny logon right as you would use a deny permission to exclude a subset of a group that has been assigned an allow logon right. odkud from the keyboard through a network connection speciální způsob as a service as a batch job

privilegia privilege assignment prostřednictvím Group Policy Ntrights.exe from command prompt (W2K3 Resource Kit) protože v existujícím Security Tokenu nelze provádět zásadní změny, projeví se změna v přidělených privilegiích až po novém přilogování přidělená privilegia nebývají rovnou i aktivní - před použitím je nutné je explicitně aktivovat 7.5.15 vjj 5

7.5.15 vjj 6 aktivace privilegia Win32 API HANDLE htok = 0; TOKEN_PRIVILEGES tp, tpold; tp.privilegecount = 1; tp.privileges[0].attributes = SE_PRIVILEGE_ENABLED; DWORD cb = sizeof tp; OpenProcessToken( GetCurrentProcess( ), TOKEN_QUERY TOKEN_ADJUST_PRIVILEGES, &htok ); LookupPrivilegeValue( 0, SE_BACKUP_NAME, &tp.privileges[0].luid ); LUID (locally unique identifier) A 64-bit value that is guaranteed to be unique on the operating system that generated it until the system is restarted. AdjustTokenPrivileges( htok, FALSE, &tp, cb, &tpold, &cb );

aktivace privilegia.net API funkce OpenProcessToken GetCurrentProcess LookupPrivilegeValueW AdjustTokenPrivileges dvě možnosti: prostřednictvím P/Invoke volat všechny funkce z.netu komplikované předávání parametrů nekompatibilních s.netem vlastní obalující C++ funkce (v DLL) volaná prostřednictvím P/Invoke z.netu 07.05.2015 vjj 7

07.05.2015 vjj 8 myadjusttokenprivileges (C++) BOOL WINAPI myadjusttokenprivilege ( LPCWSTR lpprivilegename, BOOL benable) { TOKEN_PRIVILEGES Privileges; HANDLE htoken; BOOL bresult; OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &htoken) Privileges.PrivilegeCount = 1; Privileges.Privileges[0].Attributes = (benable)? SE_PRIVILEGE_ENABLED : 0;

myadjusttokenprivileges (C++) LookupPrivilegeValueW( NULL, lpprivilegename, &Privileges.Privileges[0].Luid ) bresult = AdjustTokenPrivileges ( htoken, FALSE, &Privileges, 0, NULL, NULL ); CloseHandle( htoken ); return TRUE; } 07.05.2015 vjj 9

07.05.2015 vjj 10 P/Invoke: API ->.NET (C#) [DllImport ( "myapi.dll", CharSet = CharSet.Auto, EntryPoint = "myadjusttokenprivilege", ExactSpelling = false, BestFitMapping = true, CallingConvention = CallingConvention.Winapi )] public static extern System.Boolean myadjusttokenprivilege ( string lpprivilegename, System.Boolean benable );

07.05.2015 vjj 11 aktivace privilegia TCB (C#) myadjusttokenprivilege ( (string) "SeTcbPrivilege", (bool) true ) ;

nepřehledný přehled 7.5.15 vjj 12

Access this computer from the network Allow logon through Terminal Services Log on as a batch job Log on locally SeNetworkLogonRig ht SeRemoteInteractive LogonRight SeBatchLogonRight SeInteractiveLogonR ight Allows a user to connect to the computer from the network Allows a user to log on to the computer by using a Remote Desktop connection Allows a user to log on by using a batchqueue facility such as the Task Scheduler service Allows a user to start an interactive session on the computer Log on as a service SeServiceLogonRight Allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in Administrators Power Users Users Everyone Backup Operators Administrators Remote Desktop Users Administrator System Support_xxxxxxxx Administrators Power Users Users, Guest Backup Operators Network Service When an administrator uses t task to run under a particular automatically assigned the "L scheduled time arrives, the Ta batch job rather than as an in security context. The Support Remote Assistance. Users who do not have this rig the computer if they have the 7.5.15 vjj 13

Privileges Table B.2 Privileges Privilege Description Act as part of the operating system (SeTcbPrivilege) Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. Default setting: Not assigned. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to log on using the Local System account, which has the privilege inherently. Do not create a separate account and assign the privilege to it. Add workstations to domain (SeMachineAccountPrivilege) Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Default setting: Not assigned. Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the "Add workstations to a domain" privilege. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Default setting: Administrators, Local Service, and Network Service. Back up files and directories (SeBackupPrivilege) Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Default setting: Administrators and Backup Operators. 7.5.15 See also "Restore files and directories" in this table. vjj 14

7.5.15 vjj 15 standard privilegies Friendly Name Programmatic Name Admin System Act as part of the operating system SE_TCB_NAME S Add workstations to domain SE_MACHINE_ACCOUNT_NAME Back up files and directories SE_BACKUP_NAME A S Bypass traverse checking SE_CHANGE_NOTIFY_NAME U S Change the system time SE_SYSTEMTIME_NAME A S Create a page file SE_CREATE_PAGEFILE_NAME A S Create a token object SE_CREATE_TOKEN_NAME S Create permanent shared object SE_CREATE_PERMANENT_NAME S Debug programs SE_DEBUG_NAME A S Enable computer and user account to be trusted for delegation SE_ENABLE_DELEGATION_NAME Force shutdown from a remote system SE_REMOTE_SHUTDOWN_NAME A Generate security audits SE_AUDIT_NAME S

7.5.15 vjj 16 Friendly Name Programmatic Name Admin System Increase quotas SE_INCREASE_QUOTA_NAME A o Increase scheduling priority SE_INC_BASE_PRIORITY_NAME o o Load and unload device drivers SE_LOAD_DRIVER_NAME o o Lock pages in memory SE_LOCK_MEMORY_NAME o Manage auditing and security log SE_SECURITY_NAME o o Modify firmware environment values SE_SYSTEM_ENVIRONMENT_NAME o o Profile single process SE_PROF_SINGLE_PROCESS_NAME o o Profile system performance SE_SYSTEM_PROFILE_NAME o Remove computer from docking station SE_UNDOCK_NAME U o Replace a process-level token SE_ASSIGNPRIMARYTOKEN_NAME o Restore files and directories SE_RESTORE_NAME o o Shut down the system SE_SHUTDOWN_NAME U o Synchronize directory service data SE_SYNC_AGENT_NAME Take ownership of files or other objects SE_TAKE_OWNERSHIP_NAME o o

7.5.15 vjj 17 user run as admin SeBackupPrivilege SeChangeNotifyPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeCreatePagefilePrivilege SeCreateSymbolicLinkPrivilege SeDebugPrivilege SeImpersonatePrivilege SeIncreaseBasePriorityPivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege SeIncreaseWorkingSetPrivilege SeLoadDrivePrivilege SeManageVolumePrivilege

7.5.15 vjj 18 user run as admin SeProfileSingleProcessPrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeSecurityPrivilege SeShutdownPrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeSystemTimePrivilege SeTakeOwnershipPrivilege SeTimeZonePrivilege SeTimeZonePrivilege SeUndockPrivilege SeUndockPrivilege

7.5.15 vjj 19 Bypass traverse checking This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories On workstations and servers: Administrators Backup Operators Power Users Users Everyone On domain controllers: Administrators Authenticated Users

SeEnableDelegationPrivilege dovoluje nastavit v Active Directory pro počítače vlastnost Trusted for Delegation. ta dovoluje zastupovat uživatele i při komunikaci s dalšími servery 7.5.15 vjj 20

7.5.15 vjj 21 Act as part of the operating system SeTcbPrivilege (Tcb = Trusted Computing Base) Allows a process to perform as a secure, trusted part of the operating system This user right allows a process to impersonate any user without authentication Some subsystems are granted this right required to call LogonUser SeImpersonatePrivilege Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels

Act as part of the operating system This privilege allows a process to authenticate as, and therefore gain access to the same resources as any user, by calling the LogonUser APIs to create an access token. Only low-level authentication services should require this privilege. The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, this token does not provide a primary identity for tracking events in the audit log. It is recommended that processes requiring this privilege are run using the LocalSystem account, which already includes this privilege. This is preferable to using a separate user account with this privilege specially assigned. Because running as LocalSystem makes use of this privilege unnecessary, this privilege might be made obsolete in a future version of Windows. 7.5.15 vjj 22

Trusted Computing Base Federal Standard 1037C, Telecommunications, Glossary of Terms totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. Note: The ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security policy. 7.5.15 vjj 23

TCB Trusted Computing Base Group Policy : (Start Control Panel Administrative Tools Group Policy Management Local Security Policy) Windows Security Settings Local Policies User Rights Assignment Act as part of the operating system 07.05.2015 vjj 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information