The following procedure describes how to configure a security policy setting for only a domain controller from the domain controller. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. In this article. Adjust memory quotas for a process.
Back up files and directories. Create permanent shared objects. Increase a process working set. Increase scheduling priority. Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects.
Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. For information about setting security policies, see Configure security policy settings. The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
Skip to main content. Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings. User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on.
In this section, I will explain the most important settings and how they should be configured. Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege. If you remove this user right on the DC, no one will be able to log on to the domain. The default configuration includes the Users group, which allows a standard user to log on to the server console.
Limit this privilege only to administrators. It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege. A malicious user could backup and restore data on a different computer, thereby gaining access to it.
The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP. Only administrators should be able to shut down any server, to prevent denial-of-service DoS attacks. This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity. Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.
User having this privilege can take control ownership of any object, such as a file or folder, and expose sensitive data. This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data.
It can be used by attackers to collect information about running critical processes, or which users are logged on. Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain.
Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own. An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account. Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature. I hope this article helped you to understand why it is important to define a security baseline for your systems.
Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions. Want to write for 4sysops?
0コメント