Какую функцию выполняет привилегия windows bypass traverse checking

This repository is used for Windows client for IT Pro content on Microsoft Learn. - windows-itpro-docs/event-4656.md at public · MicrosoftDocs/windows-itpro-docs
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.reviewer manager ms.author ms.technology ms.topic

4656(S, F) A handle to an object was requested. (Windows 10)

Describes security event 4656(S, F) A handle to an object was requested.

security

windows-client

deploy

library

none

vinaypamnani-msft

09/07/2021

aaroncz

vinpa

itpro-security

reference

4656(S, F): A handle to an object was requested.

Event 4656 illustration

Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage

Event Description:

This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

If access was declined, a Failure event is generated.

This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.

This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “4663(S): An attempt was made to access an object.”

Note  For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4656</EventID> 
 <Version>1</Version> 
 <Level>0</Level> 
 <Task>12800</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8010000000000000</Keywords> 
 <TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" /> 
 <EventRecordID>274057</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="524" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
 <Data Name="SubjectUserName">dadmin</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x4367b</Data> 
 <Data Name="ObjectServer">Security</Data> 
 <Data Name="ObjectType">File</Data> 
 <Data Name="ObjectName">C:\Documents\HBI Data.txt</Data> 
 <Data Name="HandleId">0x0</Data> 
 <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
 <Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data> 
 <Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data> 
 <Data Name="AccessMask">0x12019f</Data> 
 <Data Name="PrivilegeList">-</Data> 
 <Data Name="RestrictedSidCount">0</Data> 
 <Data Name="ProcessId">0x1074</Data> 
 <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data> 
 <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions:

  • 0 — Windows Server 2008, Windows Vista.

  • 1 — Windows Server 2012, Windows 8.

    • Added “Resource Attributes” field.

    • Added “Access Reasons” field.

Field Descriptions:

Subject:

  • Security ID [Type = SID]: SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note  A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

  • Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.

  • Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:

    • Domain NETBIOS name example: CONTOSO

    • Lowercase full domain name: contoso.local

    • Uppercase full domain name: CONTOSO.LOCAL

    • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Object:

  • Object Server [Type = UnicodeString]: has “Security” value for this event.

  • Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.

    The following table contains the list of the most common Object Types:

Directory Event Timer Device
Mutant Type File Token
Thread Section WindowStation DebugObject
FilterCommunicationPort EventPair Driver IoCompletion
Controller SymbolicLink WmiGuid Process
Profile Desktop KeyedEvent Adapter
Key WaitablePort Callback Semaphore
Job Port FilterConnectionPort ALPC Port
  • Object Name [Type = UnicodeString]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.

  • Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.

  • Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.

    For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;(«Impact_MS»,TI,0x10020,3000))

    • Impact_MS: Resource Property ID.

    • 3000: Recourse Property Value.

Impact property illustration

Process Information:

  • Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

    Task manager illustration

    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

    You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process InformationNew Process ID.

  • Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Access Request Information:

  • Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as “4660(S): An object was deleted.”

    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.

Note  GUID is an acronym for ‘Globally Unique Identifier’. It is a 128-bit integer number used to identify resources, activities or instances.

  • Accesses [Type = UnicodeString]: the list of access rights which were requested by SubjectSecurity ID. These access rights depend on Object Type. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
Access Hexadecimal Value,
Schema Value
Description
ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”)

0x1,
%%4416
ReadData — For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
ListDirectory — For a directory, the right to list the contents of the directory.
WriteData (or AddFile)

(For registry objects, this is “Set key value.”)

0x2,
%%4417
WriteData — For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE).
AddFile — For a directory, the right to create a file in the directory.
AppendData (or AddSubdirectory or CreatePipeInstance) 0x4,
%%4418
AppendData — For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).
AddSubdirectory — For a directory, the right to create a subdirectory.
CreatePipeInstance — For a named pipe, the right to create a pipe.
ReadEA
(For registry objects, this is “Enumerate sub-keys.”)
0x8,
%%4419
The right to read extended file attributes.
WriteEA 0x10,
%%4420
The right to write extended file attributes.
Execute/Traverse 0x20,
%%4421
Execute — For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
Traverse — For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING  privilege, which ignores the FILE_TRAVERSE  access right. See the remarks in File Security and Access Rights for more information.
DeleteChild 0x40,
%%4422
For a directory, the right to delete a directory and all the files it contains, including read-only files.
ReadAttributes 0x80,
%%4423
The right to read file attributes.
WriteAttributes 0x100,
%%4424
The right to write file attributes.
DELETE 0x10000,
%%1537
The right to delete the object.
READ_CONTROL 0x20000,
%%1538
The right to read the information in the object’s security descriptor, not including the information in the system access control list (SACL).
WRITE_DAC 0x40000,
%%1539
The right to modify the discretionary access control list (DACL) in the object’s security descriptor.
WRITE_OWNER 0x80000,
%%1540
The right to change the owner in the object’s security descriptor
SYNCHRONIZE 0x100000,
%%1541
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
ACCESS_SYS_SEC 0x1000000,
%%1542
The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object’s security descriptor.

Table 14. File System objects access rights.

  • Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.

  • Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.

  • Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
Privilege Name User Right Group Policy Name Description
SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.
SeAuditPrivilege Generate security audits With this privilege, the user can add entries to the security log.
SeBackupPrivilege Back up files and directories — Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.
SeCreateGlobalPrivilege Create global objects Required to create named file mapping objects in the global namespace during Terminal Services sessions.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create and change the size of a pagefile.
SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.
SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.
SeCreateTokenPrivilege Create a token object Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.
SeDebugPrivilege Debug programs Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the Trusted for Delegation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the Account cannot be delegated account control flag set.
SeImpersonatePrivilege Impersonate a client after authentication With this privilege, the user can impersonate other accounts.
SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for applications that run in the context of users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers.
SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a volume, such as remote defragmentation.
SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.
SeRelabelPrivilege Modify an object label Required to modify the mandatory integrity level of an object.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a network request.
SeRestorePrivilege Restore files and directories Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.
SeSecurityPrivilege Manage auditing and security log Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
SeSystemProfilePrivilege Profile system performance Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone associated with the computer’s internal clock.
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Required to access Credential Manager as a trusted caller.
SeUndockPrivilege Remove computer from docking station Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on.
SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from a terminal device.
  • Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific Object Types.

Security Monitoring Recommendations

For 4656(S, F): A handle to an object was requested.

For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.

For other types of objects, the following recommendations apply.

Important  For this event, also see Appendix A: Security monitoring recommendations for many audit events.

  • If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.

  • You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).

  • If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”

  • If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor all 4656 events.

  • If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all 4656 events with the corresponding Access Request InformationAccesses values.

  • If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events with specific Resource Attributes field values.

    For file system objects, we recommend that you monitor these Access Request InformationAccesses rights (especially for Failure events):

    • WriteData (or AddFile)

    • AppendData (or AddSubdirectory or CreatePipeInstance)

    • WriteEA

    • DeleteChild

    • WriteAttributes

    • DELETE

    • WRITE_DAC

    • WRITE_OWNER

title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.reviewer manager ms.author ms.technology ms.topic

4656(S, F) A handle to an object was requested. (Windows 10)

Describes security event 4656(S, F) A handle to an object was requested.

security

windows-client

deploy

library

none

vinaypamnani-msft

09/07/2021

aaroncz

vinpa

itpro-security

reference

4656(S, F): A handle to an object was requested.

Event 4656 illustration

Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage

Event Description:

This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

If access was declined, a Failure event is generated.

This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.

This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “4663(S): An attempt was made to access an object.”

Note  For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4656</EventID> 
 <Version>1</Version> 
 <Level>0</Level> 
 <Task>12800</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8010000000000000</Keywords> 
 <TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" /> 
 <EventRecordID>274057</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="516" ThreadID="524" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
 <Data Name="SubjectUserName">dadmin</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x4367b</Data> 
 <Data Name="ObjectServer">Security</Data> 
 <Data Name="ObjectType">File</Data> 
 <Data Name="ObjectName">C:\Documents\HBI Data.txt</Data> 
 <Data Name="HandleId">0x0</Data> 
 <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
 <Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data> 
 <Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data> 
 <Data Name="AccessMask">0x12019f</Data> 
 <Data Name="PrivilegeList">-</Data> 
 <Data Name="RestrictedSidCount">0</Data> 
 <Data Name="ProcessId">0x1074</Data> 
 <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data> 
 <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions:

  • 0 — Windows Server 2008, Windows Vista.

  • 1 — Windows Server 2012, Windows 8.

    • Added “Resource Attributes” field.

    • Added “Access Reasons” field.

Field Descriptions:

Subject:

  • Security ID [Type = SID]: SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note  A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

  • Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.

  • Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:

    • Domain NETBIOS name example: CONTOSO

    • Lowercase full domain name: contoso.local

    • Uppercase full domain name: CONTOSO.LOCAL

    • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Object:

  • Object Server [Type = UnicodeString]: has “Security” value for this event.

  • Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.

    The following table contains the list of the most common Object Types:

Directory Event Timer Device
Mutant Type File Token
Thread Section WindowStation DebugObject
FilterCommunicationPort EventPair Driver IoCompletion
Controller SymbolicLink WmiGuid Process
Profile Desktop KeyedEvent Adapter
Key WaitablePort Callback Semaphore
Job Port FilterConnectionPort ALPC Port
  • Object Name [Type = UnicodeString]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.

  • Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.

  • Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.

    For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;(«Impact_MS»,TI,0x10020,3000))

    • Impact_MS: Resource Property ID.

    • 3000: Recourse Property Value.

Impact property illustration

Process Information:

  • Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

    Task manager illustration

    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

    You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process InformationNew Process ID.

  • Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Access Request Information:

  • Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as “4660(S): An object was deleted.”

    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.

Note  GUID is an acronym for ‘Globally Unique Identifier’. It is a 128-bit integer number used to identify resources, activities or instances.

  • Accesses [Type = UnicodeString]: the list of access rights which were requested by SubjectSecurity ID. These access rights depend on Object Type. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
Access Hexadecimal Value,
Schema Value
Description
ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”)

0x1,
%%4416
ReadData — For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
ListDirectory — For a directory, the right to list the contents of the directory.
WriteData (or AddFile)

(For registry objects, this is “Set key value.”)

0x2,
%%4417
WriteData — For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE).
AddFile — For a directory, the right to create a file in the directory.
AppendData (or AddSubdirectory or CreatePipeInstance) 0x4,
%%4418
AppendData — For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).
AddSubdirectory — For a directory, the right to create a subdirectory.
CreatePipeInstance — For a named pipe, the right to create a pipe.
ReadEA
(For registry objects, this is “Enumerate sub-keys.”)
0x8,
%%4419
The right to read extended file attributes.
WriteEA 0x10,
%%4420
The right to write extended file attributes.
Execute/Traverse 0x20,
%%4421
Execute — For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
Traverse — For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING  privilege, which ignores the FILE_TRAVERSE  access right. See the remarks in File Security and Access Rights for more information.
DeleteChild 0x40,
%%4422
For a directory, the right to delete a directory and all the files it contains, including read-only files.
ReadAttributes 0x80,
%%4423
The right to read file attributes.
WriteAttributes 0x100,
%%4424
The right to write file attributes.
DELETE 0x10000,
%%1537
The right to delete the object.
READ_CONTROL 0x20000,
%%1538
The right to read the information in the object’s security descriptor, not including the information in the system access control list (SACL).
WRITE_DAC 0x40000,
%%1539
The right to modify the discretionary access control list (DACL) in the object’s security descriptor.
WRITE_OWNER 0x80000,
%%1540
The right to change the owner in the object’s security descriptor
SYNCHRONIZE 0x100000,
%%1541
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
ACCESS_SYS_SEC 0x1000000,
%%1542
The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object’s security descriptor.

Table 14. File System objects access rights.

  • Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.

  • Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.

  • Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
Privilege Name User Right Group Policy Name Description
SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.
SeAuditPrivilege Generate security audits With this privilege, the user can add entries to the security log.
SeBackupPrivilege Back up files and directories — Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.
SeCreateGlobalPrivilege Create global objects Required to create named file mapping objects in the global namespace during Terminal Services sessions.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create and change the size of a pagefile.
SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.
SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.
SeCreateTokenPrivilege Create a token object Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.
SeDebugPrivilege Debug programs Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the Trusted for Delegation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the Account cannot be delegated account control flag set.
SeImpersonatePrivilege Impersonate a client after authentication With this privilege, the user can impersonate other accounts.
SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for applications that run in the context of users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers.
SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a volume, such as remote defragmentation.
SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.
SeRelabelPrivilege Modify an object label Required to modify the mandatory integrity level of an object.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a network request.
SeRestorePrivilege Restore files and directories Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.
SeSecurityPrivilege Manage auditing and security log Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
SeSystemProfilePrivilege Profile system performance Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone associated with the computer’s internal clock.
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Required to access Credential Manager as a trusted caller.
SeUndockPrivilege Remove computer from docking station Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on.
SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from a terminal device.
  • Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific Object Types.

Security Monitoring Recommendations

For 4656(S, F): A handle to an object was requested.

For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.

For other types of objects, the following recommendations apply.

Important  For this event, also see Appendix A: Security monitoring recommendations for many audit events.

  • If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.

  • You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).

  • If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”

  • If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor all 4656 events.

  • If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all 4656 events with the corresponding Access Request InformationAccesses values.

  • If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events with specific Resource Attributes field values.

    For file system objects, we recommend that you monitor these Access Request InformationAccesses rights (especially for Failure events):

    • WriteData (or AddFile)

    • AppendData (or AddSubdirectory or CreatePipeInstance)

    • WriteEA

    • DeleteChild

    • WriteAttributes

    • DELETE

    • WRITE_DAC

    • WRITE_OWNER

Настройка прав пользователя

В
разделе Локальные
политики

(Local
Policies)
содержатся три узла: Политики
аудита

(Audit
Policy),
Назначение
прав пользователя

(User
Rights
Assignment)
и Параметры
безопасности

(Security
Options).

Права пользователя

Вы
можете назначать требуемые права
группам и отдельным учетным записям
пользователей. Для упрощения
администрирования Microsoft
рекомендует назначать права группам
пользователей, а не учетным записям
отдельных пользователей. Каждое право
пользователя позво­ляет группам
пользователей или отдельным пользователям,
которым назначено это право, выполнять
определенные действия, такие, как
архивация файлов или смена системного
времени. Если пользователь является
членом нескольких групп, права
пользователя суммируют­ся, так что
он получает все права, назначенные
каждой из групп.

Существуют
два типа прав пользователя: привилегии
и
права
на вход в систему
.

Привилегией
(privilege)
называется право пользователя,
разрешающее членам групп для которых
оно назначено, выполнять определенные
действия, обычно оказывающие влияние
на всю систему, а не на один объект.
Привилегии, доступные в Windows
XP
Professional,
описаны в таблице 3.

Привилегии,
доступные в Windows XP
Professional. Таблица 3

Привилегия

Описание

Работа
в
режиме
операцион­ной
системы
(Act As Part Of The Operating System)

Позволяет
процессу аутентифицироваться подобно
пользователю и получать доступ к
ресурсам, так же как пользователь. Не
назначайте эту привилегию, если нет
уверенности в необходимости этого.
Только низкоуровневые службы
аутентификации могут требовать этой
привилегии. Процес­сы, которые
требуют эту привилегию, должны
выполняться под учетной записью
LocalSystem,
поскольку для нее данная привилегия
уже назначена. Отдельные учетные
записи пользователей с этой привилегией
позволяют пользова­телям или
процессам получать маркер до­ступа,
предоставляющий больше прав, чем они
должны иметь, и не проходить идентификацию
для сохранения событий в журналах
аудита

Добавление
рабочих станций к домену (Add
Workstations
То Domain)

Позволяет
пользователю добавлять ком­пьютеры
к домену. Пользователи заданного
домена сначала добавляются на
компьютере, и при этом создается
объект в контейнере Computer
службы Active
Directory
домена. Чтобы привилегия была
эффективной, ее следует назначать
как часть задаваемой по умолчанию
политики контроллеров домена для
данного домена.

Архивирование
файлов
и
каталогов
(Back Up Files And Directories)

Позволяет
выполнять архивацию, не наз­начая
разрешений, открывающих доступ ко
всем файлам и папкам системы.
По умолчанию
на рабочих станциях, рядовых серверах
и контроллерах домена эта
привилегия
назначается членам групп Администраторы
(Administrators)
и Операторы
архива
(Backup
Operators).
На контроллерах домена эта привилегия
также назначается членам группы
Операторы сервера
(Server
Operators).

Обход
перекрестной проверки

(Bypass
Traverse
Checking)

Разрешает
пользователю перемещаться
через папки,
на доступ к которым у него
нет разрешений.
Привилегия не позволяет
просматривать
содержимое папок, а
только лишь
перемещаться через них по
пути к файлу.
На рабочих
станциях и рядовых серверах
эта привилегия
по умолчанию устанавливается для
групп Администраторы (Administrators),
Операторы архива (Backup
Operators),
Опытные пользователи (Power
Users),
Пользователи
(Users)
и Все (Everyone).

Продолжение табл.
3

Привилегия

Описание

Изменение
системного времени (Change
The
System
Time)

Позволяет
изменять время внутренних
часов
компьютера.
На рабочих
станциях и рядовых серверах
эта привилегия
по умолчанию устанавливается для
групп Администраторы (Administrators)
и Опытные пользователи (Power
Users),
а также для учетных записей LocalSystem
и NetworkService.
На контроллерах домена эта привилегия
по умолчанию
устанавливается
для групп Администраторы
(Administrators)
и Операторы сервера (Server
Operators),
а также для учетных записей
LocalSystem
и NetworkService.

Создание
маркерного объекта
(Create
A
Token
Object)

Позволяет
процессу создавать маркер,
используемый
для доступа к ресурсам локального
компьютера, когда процесс использует
соответствующий интерфейс прикладного
программирования (API).
Microsoft
рекомендует выполнять процессы,
требующие этой привилегии, под учетной
записью LocalSystem,
поскольку для нее привилегия уже
назначена.

Создание
постоянных объек­тов совместного
использова­ния (Create
Permanent
Shared
Objects)

Позволяет
процессу создавать объект каталога
в диспетчере объектов Windows.
Эта привилегия используется
компонентами, выполняющимися в режиме
ядра и планирующими расширение
пространства имен объектов Windows.
Компоненты, работающие в режиме ядра,
уже имеют эту приви­легию, так что
устанавливать ее не требуется.

Создание
страничного файла (Create
A
Pageflle)

Позволяет
создавать файлы подкачки и изменять
размер существующих файлов
подкачки.
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы Администраторы
(Administrators).

Отладка
программ (Debug
Programs)

Позволяет
подключать отладчик к любому процессу.
Эта привилегия открывает доступ
к
критически важным компонентам
операционной системы.
На
рабочих станциях, рядовых серверах
и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы Администраторы
(Administrators).

Разрешение
доверия
к
учет­ным
записям
при
делегиро­вании
(Enable Computer And User Accounts To Be Trusted For Delegation)

Разрешает
пользователю устанавливать право
Доверие при делегировании (Trusted
For
Delegation)
для объектов пользователя или
компьютера. Серверный процесс,
запу­щенный на компьютере, для
которого установлено доверие при
делегировании, или
от имени
пользователя, для которого
установлено
доверие при делегировании,
может получить
доступ к ресурсам другого
компьютера.
He
назначайте эту привилегию без
необходимости, поскольку установка
параметра Доверие при делегировании
(Trusted
For
De­legation)
делает вашу систему уязвимой для
атаки со
стороны троянских вирусов, использующих
клиентские вызовы для
получения
доступа к сетевым ресурсам.
На рабочих
станциях и рядовых серверах эта
привилегия не назначается никому. На
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы Администраторы
(Administrators).

Продолжение табл.
3

Привилегия

Описание

Принудительное
удаленное завершение (Force
Shutdown
From
A
Remote
System)

Позволяет
выключить компьютер с уда­ленного
компьютера в сети. На рабочих станциях
и рядовых серверах
эта привилегия
по умолчанию устанавли­вается для
группы Администраторы (Administrators).
На контроллерах
домена эта привилегия
по умолчанию
устанавливается для групп Администраторы
(Administrators)
и Операторы сервера (Server
Operators).

Создание
журналов безопас­ности (Generate
Security
Audits)

Разрешает
процесс добавления элементов в журнал
безопасности для объектов аудита.

Настройка
квот
памяти
для
процесса
(Adjust
Memory Quotas For A Process)

Позволяет
процессу изменять выделенную квоту
ресурсов процессора для другого
процесса. Процесс, изменяющий квоту,
должен иметь
доступ на запись для
процесса,
которому изменяется квота.

Увеличение
приоритета диспетчирования (Increase
Scheduling
Priority)

Позволяет
процессу изменить приоритет выполнения
другого процесса. Процесс, изменяющий
приоритет, должен иметь доступ на
запись для процесса, приоритет
которого
изменяется.
Разрешает
пользователю изменять приоритет
процессов через Диспетчер задач (Task
Manager).
На рабочих
станциях, рядовых серверах и контроллерах
домена эта привилегия по умолчанию
устанавливается для группы
Администраторы
(Administrators).

Загрузка
и выгрузка драйверов
устройств
(Load
And
Unload
Device
Drivers)

Позволяет
устанавливать и удалять драйвера
устройств Plug
and
Play.
На устройства,
несовместимые
с Plug
and
Play,
данная
привилегия
никакого влияния не оказывает.
Будьте
осторожны, назначая эту привилегию.
Драйверы устройств выполняются
как доверенные
программы, поэтому следует устанавливать
драйверы только с
корректной
цифровой подписью.
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы
Администраторы
(Administrators)

Закрепление
страниц в памяти
(Lock
Pages
In
Memory)

Разрешает
процессу закреплять данные в
физической
памяти, что запрещает Windows
ХР Professional
перемещать эти данные в виртуальную
память (файл подкачки) на диске.
По умолчанию
привилегия никому не
назначена.
Ее имеют некоторые
системные
процессы

Управление
аудитом и журналом безопасности
(Manage
Auditing
And
Security
Log)

Разрешает
пользователю задавать параметры
аудита для отдельных объектов,
таких, как
файлы, объекты Active
Directory
и разделы реестра.
Пользователи
с этой привилегией также
могут
просматривать и очищать журнал
безопасности,
используя утилиту
Просмотр
событий (Event
Viewer).
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы
Администраторы
(Administrators)

Продолжение табл.
3

Привилегия

Описание

Изменение
параметров среды
оборудования
(Modify
Firm-
ware
Enviroment
Values)

Позволяет
использовать программу Свойства
системы
(System
Properties)
для изменения
системных
переменных среды.
Разрешает
процессу, использующему
соответствующий
API,
изменять
системные
переменные среды.

Запуск
операций по обслуживанию тома (Perform
Volume
Maintenance
Tasks)

Разрешает
пользователю запускать инструментальные
средства обслуживания дисков,
такие, как
Очистка диска (Disk
Cleanup)
или
Дефрагментация диска (Disk
Defragmenter).
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы
Администраторы
(Administrators).

Профилирование
одного процесса (Profile
A
Single
Process)

Разрешает
пользователю применять инструментальные
средства профилирования
производительности
для контроля работы
несистемных
процессов.
На рабочих
станциях и рядовых серверах
эта привилегия
по умолчанию устанавливается для
групп Администраторы (Administrators)
и Опытные пользователи (Power
Users).
На контроллерах домена только
администраторы
обладают этой
привилегией.

Профилирование
загруженности системы (Profile
System
Performance)

Разрешает
пользователю применять инструментальные
средства профилирования
производительности
для контроля производительности
системных процессов.
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для группы
Администраторы
(Administrators).

Извлечение
компьютера из
стыковочного
узла (Remove
Computer
From
Docking
Station)

Позволяет
отключать переносной
компьютер
от стыковочной станции.
На рабочих
станциях и рядовых серверах
и контроллерах
домена эта привилегия по
умолчанию
устанавливается для групп
Администраторы
(Administrators),
Опытные
пользователи (Power
Users)
и Пользователи
(Users).

Замена
маркера уровня процесса (Replace
A
Process-
Level
Token)

Разрешает
родительскому процессу
заменить
маркер доступа, ассоциируемый с
дочерним процессом.

Восстановление
файлов и
каталогов
(Restore
Files
And

Directories)

Позволяет
восстанавливать архивированные
файлы и
каталоги, не назначая пользователю
разрешения
для этих файлов и каталогов
и позволяя
данному пользователю
действовать
как владельцу объектов.
На рабочих
станциях, рядовых серверах и
контроллерах
домена эта привилегия по
умолчанию
устанавливается для групп
Администраторы
(Administrators)
и Операторы архива (backup
Operators).
На контроллерах домена эта привилегия
также
назначается
группе Операторы сервера
(Server
Operators).

Окончание табл.
3

Привилегия

Описание

Завершение
работы системы
(Shut
Down
The
System)

Разрешает
пользователю выключать
локальный
компьютер.
На рабочих
станциях эта привилегия по
умолчанию
устанавливается для групп
Администраторы
(Administrators),
Операторы
архива
(Backup
operators),
Опытные пользователи (Power
Users)
и Пользователи (Users).
На рядовых
серверах эта привилегия по
умолчанию
устанавливается для групп
Администраторы
(Administrators),
Операторы
архива (Backup
operators),
Опытные
пользователи (Power
Users).
На контроллерах
домена эта привилегия
по умолчанию
устанавливается для групп
Администраторы
(Administrators),
Операторы учетных записей (Account
Operators),
Операторы
архива (Backup
operators),
Операторы печати (Print
operators)
и Операторы
сервера
(Server
Operators).

Синхронизация
данных службы каталогов (Synchronize
Directory
Service
Data)

Позволяет
процессу производить синхронизацию
службы каталогов. Привилегия
используется
только на контроллерах
домена.

Овладение
файлами
или
иными
объектами
(Take Ownership Of Files Or Other Objects)

Разрешает
пользователю становиться вла­дельцем
системных объектов, в том числе
объектов Active
Directory,
файлов и папок, принтеров, разделов
реестра, процессов и потоков. На
рабочих станциях, рядовых серверах
и контроллерах домена эта привилегия
по умолчанию устанавливается для
группы Администраторы (Administrators).

Права
на вход в систему

(logon
right)
представляют собой права пользо­вателя,
назначаемые группе или отдельной
учетной записи пользова­теля. Они
определяют доступные для пользователя
способы регист­рации в системе. Права
на вход в систему, которые вы можете
назна­чить в Windows
XP
Professional,
описаны в таблице 4.

Права на вход в
систему, доступные в Windows
XP Professional.
Таблица 4

Право на вход

в
систему

Описание

Доступ
к компьютеру из сети (Access
This
Computer
From
The
Network)

Разрешает
пользователю подключаться к компьютеру
через сеть. На рабочих станциях,
рядовых серверах и контроллерах
домена это право на вход в систему по
умолчанию устанавливается для групп
Администраторы (Administrators),
Опытные пользователи (Power
Users)
и Все (Everyone)

Отказ
в
доступе
к
компьютеру
(Deny
Access To This Computer From The Network)

Не
дает пользователю подключиться к из
сети компьютеру через сеть. По умолчанию
это право ни для кого не устанавливается

Продолжение табл.
4

Право на вход

в
систему

Описание

Вход
в качестве пакетного задания (Log
On
As
A
Batch
Job)

Разрешает
пользователю входить в систему с
использованием пакетных средств. На
рабочих станциях, рядовых серверах
и контроллерах домена это право на
вход по умолчанию устанавливается
для группы Администраторы
(Administrators).
Если установлен компонент Internet
Information
Services
(IIS),
право автоматически назначается
встроенной учетной
записи для
анонимного доступа к IIS

Отказ
во входе в качестве
пакетного
задания (Deny

Logon
As A Batch Job)

Не
дает пользователю подключиться к
компьютеру
с использованием пакетных
средств.
По умолчанию
это право ни для кого не
устанавливается

Вход
в качестве службы

(Log
On As A Service)

Позволяет
участникам системы безопасности,
имеющим учетные записи, например
пользователям,
компьютерам или службам,
регистрироваться
в системе в качестве служб.
Службы могут
быть настроены для запуска
под учетными
записями LocalSystem,
LocalService
или NetworkService,
которые
имеют права
на вход в качестве службы.
Другие
службы, запускаемые под
отдельными
учетными записями, требуют
явного
назначения этого права.
По умолчанию
это право ни для кого не
устанавливается

Отказать
во входе в качестве
службы (Deny
Logon
As
A
Service)

Не
дает участнику системы безопасности
зарегистрироваться
в качестве службы.
По
умолчанию это право ни для кого не
устанавливается

Локальный
вход в систему
(Log
On
Locally)

Разрешает
пользователю регистрироваться
с клавиатуры
компьютера.
По умолчанию
это право на вход дается
членам групп
Администраторы (Administrators),
Операторы учетных записей
(Account
Operators),
Операторы архива
(Backup
Operators),
Операторы печати
(Print
Operators)
и Операторы сервера
(Server
Operators)

Отклонить
локальный вход
(Deny
Logon
Locally)

Не
дает пользователю зарегистрироваться
с клавиатуры
компьютера.
По умолчанию
это право ни для кого не
устанавливается

Разрешать
вход в систему через службу терминалов

(Allow
Logon Through

Terminal
Services)

Разрешает
пользователю регистрироваться с
использованием Службы терминалов
(Terminal
services).
На рабочих
станциях и рядовых серверах
это право
на вход по умолчанию дается
членам групп
Администраторы (Administrators)
и Удаленный доступ (Remote
Desktop
Users).
На контроллерах домена это право
на вход по
умолчанию назначается только
членам группы
Администраторы
(Administrators)

Запретить
вход в систему через службу терминалов

(Deny
Logon Through
Terminal
Services)

Запрещает
пользователю вход в систему с
использованием Службы терминалов
(Terminal
Services).
По умолчанию
это право ни для кого не
устанавливается

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]

  • #
  • #
  • #
  • #
  • #
  • #
  • #
  • #
  • #
  • #
  • #

Как ни странно, в Windows NT использование некоторых привилегий не протоколируется даже при включенном режиме отслеживания (дабы не перегружать журнал событий). Однако полезно все же помнить, что это за привилегии. Вот их список.

1. Bypass traverse checking (по умолчанию эта привилегия предоставлена группе Everyone).

2. Debug programs (по умолчанию эта привилегия предоставлена только группе Administrators).

3. Create a token object (по умолчанию не предоставлена никому).

4. Replace process level token (по умолчанию не предоставлена никому).

5. Generate Security Audits (по умолчанию не предоставлена никому)

6. Backup files and directories (по умолчанию эта привилегия предоставлена группам Administrators и Backup Operators).

7. Restore files and directories (по умолчанию эта привилегия предоставлена группам Administrators и Backup Operators).

Первая привилегия предоставлена всем, поэтому отслеживать ее не имеет смысла. Вторая — отладка программ — не используется в нормально функционирующей системе, и ее можно отозвать даже у администраторов. Привилегии 3-5 очень опасны, поскольку позволяют изменять параметры системы защиты, и их не следует предоставлять кому-либо без особой необходимости.

Напротив, привилегии 6-7 часто используются при обычной работе, поэтому их аудит вовсе небесполезен. Чтобы это сделать, нужно создать в реестре следующий ключ:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:

Название: FullPrivilegeAuditing

Тип: REG_BINARY

Значение: 1

Примечание: использование двух последних привилегий по умолчанию не выполняется по той простой причине, что при резервном копировании и восстановлении будет протоколироваться архивирование/восстановление каждого файла. Нормальная резервная копия может содержать тысячи файлов, поэтому нетрудно представить, какого размера будет журнал событий. Помните об этом, если соберетесь включить аудит использования привилегий резервного копирования/восстановления.

Q: What is the purpose of the Windows Bypass Traverse Checking user right (also referred to as SeChangeNotifyPrivilege)?

A: If a Windows account is granted the Bypass Traverse Checking user right, the account—or the process that acts on behalf of the account—is allowed to bypass certain Windows security checks. Bypass Traverse Checking determines which users can traverse directory or file system folder trees even though they might not have permissions on the level of the traversed directory or file system folder hierarchy itself.

 

The following is an example of how this user right works: Imagine you have a file system folder called Confidential_Information that has access permissions only for user Bob. Inside this folder there’s a file called For_Alice_Only.txt that has read permissions for user Alice. If Alice is granted the Bypass Traverse Checking user right, Alice can access the file directly, without having access denied problems because she doesn’t have read permissions on the folder the file is in. Note that the Bypass Traverse Checking user right doesn’t let Alice list the contents of the Confidential_Information folder; instead, it lets her “traverse” the folder and access the For_Alice_Only.txt file directly.

 

On Windows workstations and servers, the Bypass Traverse Checking user right is given to members of the Administrators, Backup Operators, Power Users (this group doesn’t exist in Windows Vista anymore), Users, and Everyone groups by default. On domain controllers (DCs), the user right is given to members of the Administrators and Authenticated Users groups by default. In a Windows Active Directory (AD) environment, you can centrally control who is granted the Bypass Traverse Checking user right by configuring the corresponding Group Policy Object (GPO) setting in the Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment GPO container.

 

Unless you have very strict security requirements (for example, in government or military environments), I recommend using the default Bypass Traverse Checking settings. If you remove a Windows account’s Bypass Traverse Checking user right, the user will notice a performance hit when he/she accesses files or folders on an NTFS-formatted drive because of the additional folder-level access checks that will occur in the background. That’s why leaving Bypass Traverse Checking enabled is a performance- and NTFS- optimization trick.

Like this post? Please share to your friends:
  • Какую флешку нужно для установки windows 10
  • Какую флешку надо для установки windows 11
  • Какую флешку лучше выбрать для загрузочной флешки windows 10
  • Калибровка руля defender forsage drift gt windows 10
  • Какую флешку купить для установки windows 10