Local Group Polices & Privileges
Local Group Policies
Rules governing system behavior on a local machine, including security, software, and system settings.
Example => A Password Policy forcing user password to be 12 chars minimum
Configured in Windows via the Local Security Policy Editor under categories like Account Policies and Audit Policies.
Privileges
Subset of local group policies. Specific permissions assigned to users & groups.
Example => The
SeShutdownPrivilegeallows a user to shut down the system.
Also configured in the Local Security Policy Editor, but specifically under Local Policies -> User Rights Assignment.
Local Group Policies vs ACE
Local Group Policies & Privileges control access to system resources & operations.
ACE control access to securable objects.
The Administrator sets the local group policies while the file owner or someone with enough permissions sets the DACL on objects.
Privileges Assignment
Windows has many native privileges that can be directly assigned to users as well as default groups (e.g. Backup Operators) with a specifc set of privileges.
Built-in privileges to watch for are:
SeNetworkLogonRight
Administrators, Authenticated Users
Determines which users can connect to the device from the network. This is required by network protocols such as SMB, NetBIOS, CIFS, and COM+.
SeRemoteInteractiveLogonRight
Administrators, Remote Desktop Users
This policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
SeBackupPrivilege
Administrators
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
SeSecurityPrivilege
Administrators
This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.
SeTakeOwnershipPrivilege
Administrators
This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
SeDebugPrivilege
Administrators
This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.
SeImpersonatePrivilege
Administrators, Local Service, Network Service, Service
This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.
SeLoadDriverPrivilege
Administrators
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
SeRestorePrivilege
Administrators
This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.
Active Directory
On AD group policies seat on top on the DC and overwrite local group policies.
Last updated