KBI 220702 Windows Event Log User Rights Codes
Version
N/A
Date
1 Jul 2007
Summary
Windows security event log events ID 608 and 609 enumerate user rights that have been assigned to or removed from the user account.
Technical Background
The following are important codes that need investigation in the case they have been assigned to a user account. They enable access to some critical parts of the operating system and have a great potential for misuse or malicious activity.
|
Code |
Description |
|
SeTcbPrivilege |
Act as part of the operating system. This right allows a process to assume the identity of any user. |
|
SeBackupPrivilege |
Allows user to backup files and directories, effectively ignoring the file and directory permissions. |
|
SeSystemTimePrivilege |
Allows user to modify the system time. |
|
SeDebugPrivilege |
Allows user to attach a debugger to any process. This allows for potential access to many hidden / internal data and structures. |
|
SeRemoteShutdownPrivilege |
Force system shutdown from a remote computer. |
|
SeLoadDriverPrivilege |
Allows user to install and remove device drivers. Because device drivers run as trusted, highly privileged code, installing incorrect or malicious driver can lead to system instability. |
|
SeSecurityPrivilege |
Allows user to manage and modify Security auditing policy settings. It also gives user right to clear security log. |
|
SeManageVolumePrivilege |
Allows user to manage disks and volumes. |
|
SeRestorePrivilege |
Allows user to restore files and directories from the backup storage circumventing folder and files security permissions. |
|
SeShutdownPrivilege |
User can shutdown the system. |
|
SeTakeOwnershipPrivilege |
Enables user to take ownership of any securable object on the system. |
|
SeSynchAgentPrivilege |
Enables user to read all objects and properties in the Active Directory regardless of security permissions set for them. |
Resolution
N/A