Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

User rights are machine-specific and are enforced by the LSA. As in NT4, user rights in Windows 2000 and Windows Server 2003 can be set on the machine level. To set them, you can use the Local GPO editor (LGPO) or the command prompt utility “ntrights.exe” (part of the resource kit). From Windows 2000 onward, user rights can also be set and enforced globally using GPO settings.

10.6.1 New Windows 2000 user rights

Table 10.17 lists user rights that are new to Windows 2000.

Table 10.17: New Windows 2000 User Rights

User Right

Meaning

Deny access to this computer from network Deny logon as a batch job

Deny local logon

Deny logon as a service

Prohibits an entity from connecting to the computer from the network, to log on as a batch job, to log on locally, or to log on as a service. These four rights all have a corresponding grant right. If both the grant and deny rights are set, the deny right will overrule the grant right.

Enable computer and user accounts to be trusted for delegation

Allows the user to change the Trusted for Delegation property on a user or computer object. Besides this right the user must also have write access to the object’s account control flags.

Remove computer from docking station

Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. This feature protects against theft on docking stations that have special security options to anchor the portable.

Synchronize directory service data

Allows a process to synchronize AD data. Obviously, this right is relevant only on domain controllers.

10.6.2 New Windows Server 2003 user rights

Table 10.18 lists user rights that are new to Windows Server 2003.

Table 10.18: New Windows Server 2003 User Rights

User Right

Meaning

Impersonate a client* after authentication

When you assign this right to a user, you permit programs that run on behalf of that user to impersonate a client.

Allow log on through Terminal Services

Allows a user to log on to a machine using terminal services. When you grant this user right, you no longer have to grant the user the Log on locally right (which was a requirement in Windows 2000).

Create global objects

This user right is required for a user account to create global objects in a Terminal Services session.

Deny log on through Terminal Services

Denies a user to log on to a machine using terminal services. When you deny this user right, you no longer have to deny the user the Log on locally right (which was a requirement in Windows 2000).

Adjust memory quotas for a process

Determines who can change the maximum memory that can be consumed by a process.

Perform volume maintenace tasks

Determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.

* Both the “Impersonate a client after authentication” and create global objects” user rights were introduced in Service Pack 4 (SP4) for Windows 2000.

10.6.3 User rights versus user permissions

User rights are very different from user permissions (defined in an object’s ACL). User rights ease authorization management for system resources and system-related tasks. Permissions are not authorization intermediaries. They control the access to any securable object. Also, permissions affect only a particular object or a group of objects on a computer system. User rights affect the entire computer. Finally, user rights are set by a GPO administrator. Permissions are set by the owner of an object or by the local administrator of a computer system.

If user rights conflict with permissions, user rights have precedence. For example, if an administrator has the right to back up files and directories on a system, and the owner of some files stored on the system has explicitly denied the administrator access to these files, the administrator will still be able to back up the files.

Категории