With the exception of each domain's built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its access token by default. For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects. Each securable object has an associated access control list (ACL), which contains access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the ability to perform various operations on the object. Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. Impersonate a client after authentication Table B-1: User Rights and Privileges User Right in Group PolicyĪccess Credential Manager as a trusted callerĭeny access to this computer from the networkĮnable computer and user accounts to be trusted for delegation
Windows terminal server windows#
As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet published.įor the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified. For information applicable to Windows Server 2008, please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet site. Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.įor more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server 2008 R2 on the Microsoft TechNet site. Table B-1: User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time. The following screenshot shows some of the most common user rights that can be assigned to security principals (it represents the Default Domain Controllers GPO in a Windows Server 2012 domain). In interfaces typically used by IT professionals, these are usually referred to as "rights" or "user rights," and they are often assigned by Group Policy Objects. Rights and privileges are effectively the same system-wide capabilities that are granted to security principals such as users, services, computers, or groups. These descriptions should not be considered authoritative for other Microsoft documentation, because it may use these terms differently. This section describes some of the characteristics of each as they are used in this document. The differences between rights, permissions, and privileges can be confusing and contradictory, even within documentation from Microsoft. Rights, Privileges, and Permissions in Active Directory
You should do so because they can be leveraged by attackers to compromise and even destroy your Active Directory installation. Although specific configuration recommendations for securing the highest privilege accounts and groups are provided as separate appendices, this appendix provides background information that helps you identify the users and groups you should focus on securing. Information is also provided about built-in and default accounts and groups in Active Directory, in addition to their rights. This appendix begins by discussing rights, privileges, and permissions, followed by information about the "highest privilege" accounts and groups in Active Directory,that is, the most powerful accounts and groups. "Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Appendix B: Privileged Accounts and Groups in Active Directory
0 kommentar(er)
