User Privileges
A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the Privilege Management feature to assign (enable) or deny (disable) privileges.
In this section:
- User Privileges Policies
- Create a User Privilege Management Policy
- Add Group membership to a Policy
- Assign Privileges to a Policy
- Privileges
User Privileges Policies
The Elevate policy is applied to new rule items by default. When an item is elevated the selected item will be given increased privileges and will not require an administrator to run it.
User privileges policies offer an alternative to using the default Elevate rule and can be customized to meet the needs of your organization. Policies can range from making an individual user a member of a "Power User" group to removing user membership from the Administrators group.
When a User Privileges Policy is created, you can customize your policy using the following three tabs:
-
Group Membership - Group Membership allows you to specify Windows user groups to be dropped or added when a policy is applied. You add a group action to the policy contents and then specify whether or not the selected group is to be applied to the newly created policy or whether their membership is to be dropped.
When you assign membership to a user group, you will only add the group that you have selected, any nested groups will not be included. For example, if you assign group membership to Domain Administrators this will not automatically include the Local Administrator group and they will therefore need to be added separately.
- Privileges - A privilege is the right of a user account to perform a particular system-related operation, such as shutting down the computer or changing the system time. You can use the User Rights Management feature to enable, disable or remove privileges:
- No change - Leaves the privilege as it is with its original token.
- Enabled - Sets the flag in the token to enabled.
- Disabled - Sets the flag in the token to disabled.
- Remove - Removes the privilege from the token. You cannot undo this option.
- Properties - Add a description for the policy in the Properties tab. If required, you can force a custom admin token to use medium integrity, rather then defaulting to high integrity.
Create a User Privilege Management Policy
- Select the Library > User Privilege Policies node.
- Select Add Policy on the Privilege Management ribbon.
- Select and right-click the new policy and select Rename.
- Give the policy an intuitive name.
- Do one or more of the
following:
- Use the Group Membership tab to specify the credentials an application can run under, for example, what group and whether to add or drop membership for the group. Adding membership allows users to run an application as if they were a member of the group.
- Use the Privileges tab for granular control of the privileges the user will have over an application.
- Use the
Properties tab to specify the integrity level. Applications with a low
or medium integrity level cannot interoperate
with applications that have a high integrity level.
From Application Control 2020.3, a checkbox has been added to the Properties tab. It allows you to customize an admin token, assigning it a medium integrity level - instead of a high integrity level.
User Privileges Management policies are reusable.
Add Group Membership to a Policy
Standard users typically have no administrative rights. The following process demonstrates how to create a User Privileges Policy for a Support Desk operative. User privileges management provides the ability to add membership to a selected group or to drop membership. The first step in creating the configuration is to create a User Privileges Policy and to specify the membership, in this case, to add membership.
- In the Application Control console, select the User Privileges Policies node under Library.
-
In the Privilege Management ribbon, click Add Policy.
The new policy is added under the User Privileges Policies node in the navigation pane.
To sort policies under the User Privileges Policies node, right-click the node and select Sort Ascending or Sort Descending.
- In the work areas, click the new policy name to make the name editable.
- Enter a name for the policy, for example, SupportDesk.
-
In the Privilege Management ribbon, click Add Group Action.
The Account Selection dialog displays.
-
Enter or navigate to the SupportDesk group and click OK.
The group is added to the Group Membership tab in the work area for the policy.
- In the tab, ensure that Add Membership is visible in the Action column. This is the default setting
Assign Privileges to a Policy
- Select the Library > User Privilege Policies node.
- Select Add Policy on the Privilege Management ribbon.
- Select and right-click the new policy and select Rename.
- Give the policy an intuitive name.
- Select the Privileges tab for granular control of the privileges the user will have over an application.
- Identify the privilege you want to assign.
- Click the drop-down arrow in the Actions column for the privilege and select Enable.
Example: Create a Configuration that Allows Microsoft OneDrive to be Downloaded
- Navigate to Library > User Privilege Policies node.
- Select Add Policy ribbon button.
- Select and right-click the new policy beneath the User Privilege Policies node and select Rename.
- Enter an intuitive name for the policy, for example, Elevate.
- Select Add Group Action ribbon button.
- Enter the name of the administrator user group or use the Browse button to navigate to the account.
- Ensure Add Membership is selected in the Action column.
- Select User Privileges node for a particular group, for example, the Everyone group.
-
Select Add Item > Application > File.
The Add a File for User Privilege Management dialog displays.
- Enter the name of the web installation you want to add in the File field for example onedrive.exe or click the Browse button to locate and then select the file.
- In the Policy field click the drop-down arrow icon and select the policy required ( in this example, choose Elevate).
- Select Apply policy to child processes.
- Select Install as trusted owner.
- Click Add.
- Select the Allowed Items node for the same group.
-
Select Add Item > Allowed > Signature Item.
The Add a Signature dialog displays.
- Navigate to the web installation and click Open.
- Save the configuration.
Other configurable items also need to be considered. For example, for an ActiveX installation you need to allow the ActiveX file to run, and any executables that the control calls. You need to consider Process rules, Trusted Vendors, any Digital Certificates, Allowed Items, Elevated items, and so on.
Privileges
The following table provides the full list of privileges and describes how and when system components check for them.
Privilege | User Right | Privilege Usage |
---|---|---|
SeAssignPrimaryTokenPrivilege | Replace a process-level token | Checked for by various components, such as NtSetInformationJob, that set a process' token. |
SeAuditPrivilege | Generate security audits | Required to generate events for the Security event log with the ReportEvent API. |
SeBackupPrivilege | Backup files and directories | Causes NTFS to grant the following
access to any file or directory, regardless of the security descriptor
that is present. READ_CONTROL ACCESS_SYSTEM_SECURITY FILE_GENERIC_READ FILE_TRAVERSE When opening a file for the backup, the caller must specify the FILE_FLAG_BACKUP_SEMANTICS flag. Also allows corresponding access to registry keys when using. |
SeChangeNotifyPrivilege | Bypass traverse checking | Used by NTFS to avoid checking permissions on intermediate directories of a multilevel directory lookup. Also used by file systems when applications register for notification of changes to the file system structure. |
SeCreateGlobalPrivilege | Create global objects | Required for a process to create section and symbolic link objects in the directories of the object manager namespace that are assigned to a different session than the caller. |
SeCreatePagefilePrivilege | Create a pagefile | Checked for by NtCreatePagingFile, which is the function used to create a new paging file. |
SeCreatePermanentPrivilege | Create permanent shared objects | Checked for by the object manager when creating a permanent object (one that does not get de-allocated when there are no more references to it). |
SeCreateSymbolicLinkPrivilege | Create symbolic links | Checked for by the NTFS when creating symbolic links on the file system with the CreateSymbolicLink API. |
SeCreateTokenPrivilege | Create a token | NtCreateToken, the function that creates a token object, checks for this privilege. |
SeDebugPrivilege | Debug programs | If the caller has this privilege enabled, the process manager allows access to any process or thread using NtOpenProcess or NtOpenThread, regardless of the process's or thread's security descriptor (except for protected processes). |
SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Used by Active Directory services to delegate authenticated credentials. |
SeImpersonatePrivilege | Impersonate a client after authentication | The process manager checks for this when a thread wants to use a token for impersonation and the token represents a different user than that of the thread's process token. |
SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Checked for by the process manager and is required to raise the priority of a process. |
SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Enforced when changing a process's working set thresholds, a process's paged and non-paged pool quotas, and a process's CPU rate quota. |
SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to call SetProcessWorkingSetSize to increase the minimum working set. This indirectly allows the process to lock up to the minimum working set of memory using VirtualLock. |
SeLoadDriverPrivilege | Load and unload device drivers | Checked for by the NtLoadDriver and NtUnloadDriver driver functions. |
SeLockMemoryPrivilege | Lock pages in memory | Checked for by NtLockVirtualMemory, the kernel implementation of VirtualLock. |
SeMachineAccountPrivilege | Add workstations to the domain | Checked for by the Security Accounts Manager on a domain controller when creating a machine account in a domain. |
SeManageVolumePrivilege | Perform volume maintenance tasks | Enforced by file system drivers during a volume open operation, which is required to perform disk checking and defragmenting activities. |
SeProfileSingleProcessPrivilege | Profile single process | Checked by Superfetch and the prefetcher when requesting information for an individual process through the NtQuerySystemInformation API. |
SeRelabelPrivilege | Modify an object label | Checked for by the SRM when raising the integrity level of an object owned by another user, or when attempting to raise the integrity level of an object higher than that of the caller's token. |
SeRemoteShutdownPrivilege | Force shutdown from a remote system | Winlogon checks that remote callers of the function have this privilege. |
SeRestorePrivilege | Restore files and directories | This privilege causes NTFS to
grant the following access to any file or directory, regardless
of the security descriptor that's present: WRITE_DAC WRITE_OWNER ACCESS_SYSTEM_SECURITY FILE_GENERIC_WRITE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY DELETE When opening a file for the backup, the caller must specify the FILE_FLAG_BACKUP_SEMANTICS flag. Also allows corresponding access to registry keys when using. |
SeSecurityPrivilege | Manage auditing and security log | Required to access the SACL of a security descriptor, read and clear the
security descriptor, read and clear the security event log.
|
SeShutdownPrivilege | Shut down the system | This privilege is checked for by NtShutdownSystem andNtRaiseHardError, which presents a system error dialog box on the interactive console. |
SeSyncAgentPrivilege | Synchronize directory service data | Required to use the LDAP directory synchronization services and allows the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. |
SeSystemEnvironmentPrivilege | Modify firmware environment variables | Required by NtSetSystemEnvironmentValue and NtQuerySystemEnvironmentValue to modify and read firmware environment variables using HAL. |
SeSystemProfilePrivilege | Profile system performance | Checked for by NtCreateProfile, the function used to perform profiling of the system. This is used by the Kernprof tool, for example. |
SeSystemtimePrivilege | Change the system time | Required to change the time or date. |
SeTakeOwnership | Take ownership of files and other objects | Required to take ownership of an object without being granted discretionary access. |
SeTcbPrivilege | Act as part of the operating system | Checked for by the security reference monitor when the session ID is set in a token, by the Plug and Play manager for Plug and Play event creation and management, BroadcastSystemMessageEx when called with |
SeTimeZonePrivilege | Change the time zone | Required to change the time zone. |
SeTrustedCredManAccessPrivilege | Access credential manager as a trusted caller | Checked by the credential manager to verify that it should trust the caller with credential information that can be queried in plain text. Is only granted to Winlogon by default. |
SeUndockPrivilege | Remove computer from a docking station | Checked for by the user-mode Plug and Play manager when either a computer undock is initiated or a device eject request is made. |
SeUnsolicitedInputPrivilege | Receive unsolicited data from a terminal device | This privilege is not currently used by Windows. |