User Rights vjj 1

(1)

(2)

User Rights

• některá oprávnění nelze (snadno) vyjádřit pomocí

přístupových práv k objektům

• user rights

(3)

User Rights

• User rights fall into two general categories: logon

rights and privileges.

• Logon rights control who is authorized to log on

to a computer and how they can log on.

• Privileges control access to system-wide

resources on a computer and can override the

permissions that are set on particular objects.

(4)

Logon Rights

• control how security principals are allowed access to the

computer

• ano nebo ne

• allow logging on to the computer

• deny logging on to the computer. Use a deny logon right as you

would use a deny permission — to exclude a subset of a group that

has been assigned an allow logon right.

• odkud

• from the keyboard

• through a network connection

• speciální způsob

• as a service

• as a batch job

(5)

privilegia

• privilege assignment

• prostřednictvím Group Policy

• Ntrights.exe from command prompt

(W2K3 Resource Kit)

• protože v existujícím Security Tokenu nelze

provádět zásadní změny, projeví se změna v

přidělených privilegiích až po novém přilogování

• přidělená privilegia nebývají rovnou i aktivní

-před použitím je nutné je explicitně aktivovat

(6)

aktivace privilegia – Win32 API

HANDLE htok = 0;

TOKEN_PRIVILEGES

tp, tpOld;

tp.PrivilegeCount = 1;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

DWORD cb = sizeof tp;

OpenProcessToken( GetCurrentProcess( ),

TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &htok );

LookupPrivilegeValue( 0, SE_BACKUP_NAME,

&tp.Privileges[0].Luid );

• LUID (locally unique identifier) A 64-bit value that is guaranteed to be unique on

the operating system that generated it until the system is restarted.

AdjustTokenPrivileges

( htok, FALSE, &tp, cb,

&tpOld, &cb );

(7)

aktivace privilegia – .NET

• API funkce

• OpenProcessToken

• GetCurrentProcess

• LookupPrivilegeValueW

• AdjustTokenPrivileges

• dvě možnosti:

• prostřednictvím P/Invoke volat všechny funkce z .NETu

– komplikované předávání parametrů

nekompatibilních s .NETem

• vlastní obalující C++ funkce (v DLL) volaná

(8)

myAdjustTokenPrivileges (C++)

BOOL WINAPI myAdjustTokenPrivilege

( LPCWSTR lpPrivilegeName,

BOOL bEnable)

{ TOKEN_PRIVILEGES Privileges;

HANDLE hToken;

BOOL bResult;

OpenProcessToken (GetCurrentProcess(),

TOKEN_QUERY, &hToken)

Privileges.PrivilegeCount = 1;

Privileges.Privileges[0].Attributes =

(bEnable) ? SE_PRIVILEGE_ENABLED : 0;

07.05.2015 vjj 8

(9)

myAdjustTokenPrivileges (C++)

LookupPrivilegeValueW( NULL, lpPrivilegeName,

&Privileges.Privileges[0].Luid )

bResult = AdjustTokenPrivileges

( hToken, FALSE, &Privileges, 0, NULL, NULL );

CloseHandle( hToken );

return TRUE;

(10)

P/Invoke: API -> .NET (C#)

[DllImport (

"myAPI.dll",

CharSet = CharSet.Auto,

EntryPoint = "myAdjustTokenPrivilege",

ExactSpelling = false,

BestFitMapping = true,

CallingConvention =

CallingConvention.Winapi )]

public static extern System.Boolean

myAdjustTokenPrivilege

( string lpPrivilegeName,

System.Boolean bEnable );

(11)

aktivace privilegia TCB (C#)

myAdjustTokenPrivilege

( (string) "SeTcbPrivilege",

(bool) true ) ;

(12)

nepřehledný přehled

(13)

Access this

computer from the

network

SeNetworkLogonRig

ht

Allows a user to

connect to the

computer from the

network

Administrators

Power Users

Users

Everyone

Backup Operators

Allow logon through

Terminal Services

SeRemoteInteractive

LogonRight

Allows a user to log

on to the computer

by using a

Remote

Desktop

connection

Administrators

Remote Desktop

Users

Log on as a batch

job

SeBatchLogonRight

Allows a user to log

on by using a

batch-queue facility such

as the

Task

Scheduler

service

Administrator

System

Support_xxxxxxxx

When an administrator uses the Add Scheduled Task wizard to schedule a

task to run under a particular user name and password, that user is

automatically assigned the "Log on as a batch job" right. When the

scheduled time arrives, the Task Scheduler service logs the user on as a

batch job rather than as an interactive user, and the task runs in the user's

security context. The Support_xxxxxxxx

Remote Assistance.

Log on locally

SeInteractiveLogonR

ight

Allows a user to

start an

interactive

session on the

computer

Administrators

Power Users

Users, Guest

Backup Operators

Users who do not have this right can start a remote interactive session on

the computer if they have the "Allow logon through Terminal Services" right.

Log on as a service

SeServiceLogonRight

Allows a security

principal to log on as

a service. Services

can be configured to

run under the

Local

System, Local

Service, or Network

Service

accounts,

which have a built-in

(14)

Privileges

•

Table B.2 Privileges

•

Privilege Description

•

Act as part of the operating system (SeTcbPrivilege)

•

Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. Default setting: Not assigned.

•

Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log.

•

When a service requires this privilege, configure the service to log on using the Local System account, which has the privilege inherently. Do not create a separate account and assign the privilege to it.

•

Add workstations to domain (SeMachineAccountPrivilege)

•

Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Default

setting: Not assigned.

•

Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the "Add workstations to a domain" privilege.

•

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

•

Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Default

setting: Administrators, Local Service, and Network Service.

•

Back up files and directories (SeBackupPrivilege)

•

Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Default setting: Administrators and Backup Operators.

•

See also "Restore files and directories" in this table.

•

Bypass traverse checking (SeChangeNotifyPrivilege)

(15)

standard privilegies

Friendly Name

Programmatic Name

Admin System

Act as part of the operating system

SE_TCB_NAME

S

Add workstations to domain

SE_MACHINE_ACCOUNT_NAME

Back up files and directories

SE_BACKUP_NAME

A

S

Bypass traverse checking

SE_CHANGE_NOTIFY_NAME

U

S

Change the system time

SE_SYSTEMTIME_NAME

A

S

Create a page file

SE_CREATE_PAGEFILE_NAME

A

S

Create a token object

SE_CREATE_TOKEN_NAME

S

Create permanent shared object

SE_CREATE_PERMANENT_NAME

S

Debug programs

SE_DEBUG_NAME

A

S

Enable computer and user account to be trusted for

delegation

SE_ENABLE_DELEGATION_NAME

Force shutdown from a remote system

SE_REMOTE_SHUTDOWN_NAME

A

(16)

7.5.15 vjj 16

Friendly Name

Programmatic Name

Admin System

Increase quotas

SE_INCREASE_QUOTA_NAME

A

o

Increase scheduling priority

SE_INC_BASE_PRIORITY_NAME

o

Load and unload device drivers

SE_LOAD_DRIVER_NAME

o

Lock pages in memory

SE_LOCK_MEMORY_NAME

o

Manage auditing and security log

SE_SECURITY_NAME

o

Modify firmware environment values

SE_SYSTEM_ENVIRONMENT_NAME

o

Profile single process

SE_PROF_SINGLE_PROCESS_NAME

o

Profile system performance

SE_SYSTEM_PROFILE_NAME

o

Remove computer from docking station

SE_UNDOCK_NAME

U

o

Replace a process-level token

SE_ASSIGNPRIMARYTOKEN_NAME

o

Restore files and directories

SE_RESTORE_NAME

o

Shut down the system

SE_SHUTDOWN_NAME

U

o

Synchronize directory service data

SE_SYNC_AGENT_NAME

(17)

user

run as admin

SeBackupPrivilege

SeChangeNotifyPrivilege

SeCreateGlobalPrivilege

SeCreatePagefilePrivilege

SeCreateSymbolicLinkPrivilege

SeDebugPrivilege

SeImpersonatePrivilege

SeIncreaseBasePriorityPivilege

SeIncreaseQuotaPrivilege

SeIncreaseWorkingSetPrivilege

SeLoadDrivePrivilege

SeManageVolumePrivilege

(18)

7.5.15

vjj

18 user

run as admin

SeProfileSingleProcessPrivilege

SeRemoteShutdownPrivilege

SeRestorePrivilege

SeSecurityPrivilege

SeShutdownPrivilege

SeSystemEnvironmentPrivilege

SeSystemProfilePrivilege

SeSystemTimePrivilege

SeTakeOwnershipPrivilege

SeTimeZonePrivilege

SeUndockPrivilege

(19)

Bypass traverse checking

• This user right determines which users can traverse directory

trees even though the user may not have permissions on the

traversed directory. This privilege does not allow the user to list

the contents of a directory, only to traverse directories

• On workstations and servers:

• Administrators

• Backup Operators

• Power Users

• Users

• Everyone

• On domain controllers:

• Administrators

• Authenticated Users

(20)

SeEnableDelegationPrivilege

• dovoluje nastavit v Active Directory pro počítače

vlastnost Trusted for Delegation.

• ta dovoluje zastupovat uživatele i při komunikaci s

dalšími servery

(21)

Act as part of the operating system

• SeTcbPrivilege

(Tcb = Trusted Computing Base)

• Allows a process to perform as

a secure, trusted part of the operating system

• This user right

allows

a process to

impersonate

any user

without

authentication

• Some subsystems are granted this right

• required to call LogonUser

• SeImpersonatePrivilege

•

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels