User Rights Assignment
Applies to
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.
Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see Configure security policy settings.
The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
Обзор управления доступом Access Control Overview
Относится к: Applies to
- Windows 10 Windows 10
- Windows Server 2016 Windows Server 2016
В этом разделе для ИТ-специалистов описывается управление доступом в Windows, которое является процессом авторизации пользователей, групп и компьютеров для доступа к объектам в сети или на компьютере. This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Ключевыми понятиями, которые составляют управление доступом, являются разрешения, владение объектами, наследование разрешений, права пользователей и аудит объектов. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
Описание функции Feature description
Компьютеры с поддерживаемой версией Windows могут управлять использованием системных и сетевых ресурсов с помощью взаимосвязанных механизмов проверки подлинности и авторизации. Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. После проверки подлинности пользователя операционная система Windows использует встроенные технологии авторизации и управления доступом для реализации второго этапа защиты ресурсов: определения, имеет ли пользователь с проверкой подлинности правильные разрешения на доступ к ресурсу. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
Общие ресурсы доступны пользователям и группам, кроме владельца ресурса, и они должны быть защищены от несанкционированного использования. Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. В модели управления доступом пользователи и группы (также именуемые директорами безопасности) представлены уникальными идентификаторами безопасности (SID). In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). Им назначены права и разрешения, которые информируют операционную систему о том, что может сделать каждый пользователь и группа. They are assigned rights and permissions that inform the operating system what each user and group can do. У каждого ресурса есть владелец, который предоставляет разрешения директорам безопасности. Each resource has an owner who grants permissions to security principals. Во время проверки контроля доступа эти разрешения проверяются, чтобы определить, какие принципы безопасности могут получить доступ к ресурсу и каким образом они могут получить к нему доступ. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Принципы безопасности выполняют действия (в том числе чтение, записи, изменение или полный контроль) на объектах. Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Объекты включают файлы, папки, принтеры, ключи реестра и объекты служб домена Active Directory (AD DS). Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Общие ресурсы используют списки управления доступом (ACLs) для назначения разрешений. Shared resources use access control lists (ACLs) to assign permissions. Это позволяет руководителям ресурсов применять управление доступом следующими способами: This enables resource managers to enforce access control in the following ways:
Отказ в доступе к несанкционированным пользователям и группам Deny access to unauthorized users and groups
Установите четко определенные ограничения доступа, предоставляемого уполномоченным пользователям и группам Set well-defined limits on the access that is provided to authorized users and groups
Владельцы объектов обычно выдают разрешения группам безопасности, а не отдельным пользователям. Object owners generally grant permissions to security groups rather than to individual users. Пользователи и компьютеры, добавленные в существующие группы, принимают разрешения этой группы. Users and computers that are added to existing groups assume the permissions of that group. Если объект (например, папка) может удерживать другие объекты (например, подмостки и файлы), он называется контейнером. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. В иерархии объектов связь между контейнером и его контентом выражается, ссылаясь на контейнер в качестве родительского. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. Объект в контейнере называется ребенком, и ребенок наследует параметры управления доступом родителя. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Владельцы объектов часто определяют разрешения для контейнерных объектов, а не отдельных детских объектов, чтобы облегчить управление управлением доступом. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
Этот набор контента содержит: This content set contains:
Access Control Overview
Applies to
- Windows 10
- Windows Server 2016
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
Feature description
Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
Deny access to unauthorized users and groups
Set well-defined limits on the access that is provided to authorized users and groups
Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
Service Security and Access Rights
The Windows security model enables you to control access to the service control manager (SCM) and service objects. The following sections provide detailed information:
Access Rights for the Service Control Manager
The following are the specific access rights for the SCM.
| Access right | Description |
|---|---|
| SC_MANAGER_ALL_ACCESS (0xF003F) | Includes STANDARD_RIGHTS_REQUIRED, in addition to all access rights in this table. |
| SC_MANAGER_CREATE_SERVICE (0x0002) | Required to call the CreateService function to create a service object and add it to the database. |
| SC_MANAGER_CONNECT (0x0001) | Required to connect to the service control manager. |
| SC_MANAGER_ENUMERATE_SERVICE (0x0004) | Required to call the EnumServicesStatus or EnumServicesStatusEx function to list the services that are in the database. Required to call the NotifyServiceStatusChange function to receive notification when any service is created or deleted. |
| SC_MANAGER_LOCK (0x0008) | Required to call the LockServiceDatabase function to acquire a lock on the database. |
| SC_MANAGER_MODIFY_BOOT_CONFIG (0x0020) | Required to call the NotifyBootConfigStatus function. |
| SC_MANAGER_QUERY_LOCK_STATUS (0x0010) | Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database. |
The following are the generic access rights for the SCM.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE SC_MANAGER_CREATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE SC_MANAGER_CONNECT SC_MANAGER_LOCK |
| GENERIC_ALL | SC_MANAGER_ALL_ACCESS |
A process with the correct access rights can open a handle to the SCM that can be used in the OpenService, EnumServicesStatusEx, and QueryServiceLockStatus functions. Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions.
The system creates the security descriptor for the SCM. To get or set the security descriptor for the SCM, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions with a handle to the SCManager object.
Windows Server 2003 and Windows XP: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 with Service Pack 1 (SP1).
The following access rights are granted.
| Account | Access rights |
|---|---|
| Remote authenticated users | SC_MANAGER_CONNECT |
| Local authenticated users (including LocalService and NetworkService) | SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ |
| LocalSystem | SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ |
| Administrators | SC_MANAGER_ALL_ACCESS |
Notice that remote users authenticated over the network but not interactively logged on can connect to the SCM but not perform operations that require other access rights. To perform these operations, the user must be logged on interactively or the service must use one of the service accounts.
Windows Server 2003 and Windows XP: Remote authenticated users are granted the SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS, and STANDARD_RIGHTS_READ access rights. These access rights are restricted as described in the previous table as of Windows Server 2003 with SP1
When a process uses the OpenSCManager function to open a handle to a database of installed services, it can request access rights. The system performs a security check against the security descriptor for the SCM before granting the requested access rights.
Access Rights for a Service
The following are the specific access rights for a service.
| Access right | Description |
|---|---|
| SERVICE_ALL_ACCESS (0xF01FF) | Includes STANDARD_RIGHTS_REQUIRED in addition to all access rights in this table. |
| SERVICE_CHANGE_CONFIG (0x0002) | Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators. |
| SERVICE_ENUMERATE_DEPENDENTS (0x0008) | Required to call the EnumDependentServices function to enumerate all the services dependent on the service. |
| SERVICE_INTERROGATE (0x0080) | Required to call the ControlService function to ask the service to report its status immediately. |
| SERVICE_PAUSE_CONTINUE (0x0040) | Required to call the ControlService function to pause or continue the service. |
| SERVICE_QUERY_CONFIG (0x0001) | Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration. |
| SERVICE_QUERY_STATUS (0x0004) | Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service. Required to call the NotifyServiceStatusChange function to receive notification when a service changes status. |
| SERVICE_START (0x0010) | Required to call the StartService function to start the service. |
| SERVICE_STOP (0x0020) | Required to call the ControlService function to stop the service. |
| SERVICE_USER_DEFINED_CONTROL(0x0100) | Required to call the ControlService function to specify a user-defined control code. |
The following are the standard access rights for a service.
| Access right | Description |
|---|---|
| ACCESS_SYSTEM_SECURITY | Required to call the QueryServiceObjectSecurity or SetServiceObjectSecurity function to access the SACL. The proper way to obtain this access is to enable the SE_SECURITY_NAMEprivilege in the caller’s current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege. |
| DELETE (0x10000) | Required to call the DeleteService function to delete the service. |
| READ_CONTROL (0x20000) | Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object. |
| WRITE_DAC (0x40000) | Required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor. |
| WRITE_OWNER (0x80000) | Required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor. |
The following are the generic access rights for a service.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE SERVICE_CHANGE_CONFIG |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE SERVICE_START SERVICE_STOP SERVICE_PAUSE_CONTINUE SERVICE_USER_DEFINED_CONTROL |
The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.
| Account | Access rights |
|---|---|
| Remote authenticated users | Not granted by default.Windows Server 2003 with SP1: SERVICE_USER_DEFINED_CONTROL Windows Server 2003 and Windows XP: The access rights for remote authenticated users are the same as for local authenticated users. |
| Local authenticated users (including LocalService and NetworkService) | READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_USER_DEFINED_CONTROL |
| LocalSystem | READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_PAUSE_CONTINUE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_START SERVICE_STOP SERVICE_USER_DEFINED_CONTROL |
| Administrators | DELETE READ_CONTROL SERVICE_ALL_ACCESS WRITE_DAC WRITE_OWNER |
To perform any operations, the user must be logged on interactively or the service must use one of the service accounts.
To get or set the security descriptor for a service object, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions. For more information, see Modifying the DACL for a Service.
When a process uses the OpenService function, the system checks the requested access rights against the security descriptor for the service object.
Granting certain access rights to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possibly allow them to run applications under the LocalSystem account.
When EnumServicesStatusEx function is called, if the caller does not have the SERVICE_QUERY_STATUS access right to a service, the service is silently omitted from the list of services returned to the client.
