Least Priv part 2

I have been trying to find a comprehensive list of the windows permissions and their effects.
This is proving hard to do.

I found the following  in an old mcsd study guide (WMA I and WMA II – Prendergast) :

Window NT – Everything is secure within Windows NT. The security issues are oftern the system manager not understanding how to secure the system.

The problem is that there is no one place to find the documentation to be able to secure a WIndows 2000 or above machine – especially when you include Active Directory.

This is especially fun when windows helpfully performs actions on your behalf silently.
This can cause deployment nughmares.

For example when you use DCOMCNFG to specify the identity for a COM object and specify the password it quietly grants you the “log on as a batch job right”. When active directory is involved in the mix it notices that acording to it’s information (gpo) that you should not have that right and takes it away. This can cause an application to fail  upto a day after it was deployed and tested. This gets really fun when the deployment engineer has now left the country.

I have also been looking for the means to determine  what Privilege are requested.
Finally I have found it!

Under Local Security Settings| Local Policies | Audit Policy there is an option to “Audit privilege use”
Between the settings of audit on success and audit on failure we now have enough tools to identify the use of privileges. This information is written to the event viewer | security section (a point that is not clearly documented anywhere that I could find on the msdn site).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s