MSDN 도움말에서 2개의 토픽을 발췌했습니다. 찾아보기 귀찮아서. ^^;
In the current release of Windows NT, the set of user rights is defined by the system
and cannot be changed. Future versions of Windows NT may allow software developers
to define new user rights appropriate to their application.
User rights can be assigned to individual user accounts, but are usually (and more
efficiently) assigned to groups. Predefined (built-in) groups have sets of user
rights already assigned. Administrators usually assign user rights by adding a user
account to one of the predefined groups or by creating a new group and assigning
specific user rights to that group. Users who are subsequently added to a group
automatically gain all user rights assigned to the group account.
There are several user rights that administrators of high-security installations
should be aware of and possibly audit. Of these, you might want to change the default
permissions for two rights: Log on locally and Shut down the system.
The rights in the following table generally require no changes to the default settings,
even in the most highly secure installations.
|
|
|
Right
|
Allows
|
Initially assigned to
|
|
Access this computer from the network
|
A user to connect to the computer over the network.
|
Administrators, Everyone, Power Users
|
|
Act as part of the operating system
(SeTcbPrivilege)
|
A process to perform as a secure, trusted part of the operating system. Some subsystems
are granted this right.
|
(None)
|
|
Add workstations to the domain (SeMachineAccountPrivilege)
|
Nothing. This right has no effect on computers running Windows NT.
|
(None)
|
|
Back up files and directories
(SeBackupPrivilege)
|
A user to back up files and directories. This right supersedes file and directory
permissions.
|
Administrators, Backup Operators
|
|
Bypass traverse checking (SeChangeNotifyPrivilege)
|
A user to change directories and to access files and subdirectories, even if the
user has no permission to access parent directories.
|
Everyone
|
|
Change the system time
(SeSystemTimePrivilege)
|
A user to set the time for the internal clock of the computer.
|
Administrators, Power Users
|
|
Create a pagefile
(SeCreatePagefilePrivilege)
|
Nothing. This right has no effect in current versions of Windows NT.
|
Administrators
|
|
Create a token object
(SeCreateTokenPrivilege)
|
A process to create access tokens. Only the Local Security Authority can do this.
|
(None)
|
|
Create permanent shared objects
(SeCreatePermanentPrivilege)
|
A user to create special permanent objects, such as \\Device, that are used within
Windows NT.
|
(None)
|
|
Debug programs
(SeDebugPrivilege)
|
A user to debug various low-level objects, such as threads.
|
Administrators
|
|
Force shutdown from a remote system
(SeRemoteShutdownName)
|
A user to shut down a remote computer.
|
Administrators
|
|
Generate security audits
(SeAuditPrivilege)
|
A process to generate security-audit log entries.
|
(None)
|
|
Increase quotas
(SeIncreaseQuotaPrivilege)
|
Nothing. This right has no effect in current versions of Windows NT.
|
(None)
|
|
Increase scheduling priority
(SeIncreaseBasePriorityPrivilege)
|
A user to boost the execution priority of a process.
|
Administrators, Power Users
|
|
Load and unload device drivers
(SeLoadDriverPrivilege)
|
A user to install and remove device drivers.
|
Administrators
|
|
Lock pages in memory
(SeLockMemoryPrivilege)
|
A user to lock pages in memory so they cannot be paged out to a backing store, such
as Pagefile.sys.
|
(None)
|
|
Log on as a batch job
|
Nothing. This right has no effect in current versions of Windows NT.
|
(None)
|
|
Log on as a service
|
A process to register with the system as a service.
|
(None)
|
|
Log on locally
|
A user to log on at the computer from the computer keyboard.
|
Administrators, Backup Operators, Guests, Power Users, Users
|
|
Manage auditing and security log
(SeSecurityPrivilege)
|
A user to specify what types of resource access (such as file access) are to be
audited, and to view and clear the security log. This right does not allow a user
to set system auditing policy using Audit on the User Manager Policy
menu. Members of the Administrators group can always view and clear the security
log.
|
Administrators
|
|
Modify firmware environment variables
(SeSystemEnvironmentPrivilege)
|
A user to modify system- environment variables stored in nonvolatile RAM on systems
that support this type of configuration.
|
Administrators
|
|
Profile single process
(SeProfSingleProcess)
|
A user to perform profiling (performance sampling) on a process.
|
Administrators, Power Users
|
|
Profile system performance
(SeSystemProfilePrivilege)
|
A user to perform profiling (performance sampling) on the system.
|
Administrators
|
|
Replace a process-level token
(SeAssignPrimaryTokenPrivilege)
|
A user to modify a process's security-access token. This is a powerful right, used
only by the system.
|
(None)
|
|
Restore files and directories
(SeRestorePrivilege)
|
A user to restore backed-up files and directories. This right supersedes file and
directory permissions.
|
Administrators, Backup Operators
|
|
Shut down the system
(SeShutdownPrivilege)
|
A user to shut down Windows NT.
|
Administrators, Backup Operators, Power Users, Users
|
|
Take ownership of files or other objects
(SeTakeOwnershipPrivilege)
|
A user to take ownership of files, directories, printers, and other objects on the
computer. This right supersedes permissions protecting objects.
|
Administrators
|
In Windows NT, you can retrieve a handle to any process in the system by enabling
the SeDebugPrivilege in the calling process. The calling process can then call the
OpenProcess() Win32 API to obtain a handle with PROCESS_ALL_ACCESS.
This functionality is provided for system-level debugging purposes. For debugging
non-system processes, it is not necessary to grant or enable this privilege.
This privilege allows the caller all access to the process, including the ability
to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous
Win32 APIs on the target process.
Take great care when granting SeDebugPrivilege to users or groups.
Sample Code
The following source code illustrates how to obtain SeDebugPrivilege in order to
get a handle to a process with PROCESS_ALL_ACCESS. The sample code then calls TerminateProcess
on the resultant process handle.
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
#include <windows.h>
#include <stdio.h>
BOOL SetPrivilege(
HANDLE hToken,
// token handle
LPCTSTR Privilege, // Privilege
to enable/disable
BOOL bEnablePrivilege // TRUE to enable. FALSE
to disable
);
void DisplayError(LPTSTR szAPI);
int main(int argc, char *argv[])
{
HANDLE hProcess;
HANDLE hToken;
int dwRetVal=RTN_OK; // assume success from main()
// show correct usage for kill
if (argc != 2)
{
fprintf(stderr,"Usage: %s [ProcessId]\n",
argv[0]);
return RTN_USAGE;
}
if(!OpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES
| TOKEN_QUERY,
&hToken
)) return RTN_ERROR;
// enable SeDebugPrivilege
if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
DisplayError("SetPrivilege");
// close token handle
CloseHandle(hToken);
// indicate failure
return RTN_ERROR;
}
// open the process
if((hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
atoi(argv[1])
// PID from commandline
)) == NULL)
{
DisplayError("OpenProcess");
return RTN_ERROR;
}
// disable SeDebugPrivilege
SetPrivilege(hToken, SE_DEBUG_NAME, FALSE);
if(!TerminateProcess(hProcess, 0xffffffff))
{
DisplayError("TerminateProcess");
dwRetVal=RTN_ERROR;
}
// close handles
CloseHandle(hToken);
CloseHandle(hProcess);
return dwRetVal;
}
BOOL SetPrivilege(
HANDLE hToken,
// token handle
LPCTSTR Privilege, // Privilege
to enable/disable
BOOL bEnablePrivilege // TRUE to enable. FALSE
to disable
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious=sizeof(TOKEN_PRIVILEGES);
if(!LookupPrivilegeValue( NULL, Privilege, &luid )) return
FALSE;
//
// first pass. get current privilege setting
//
tp.PrivilegeCount
= 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
&tpPrevious,
&cbPrevious
);
if (GetLastError() != ERROR_SUCCESS) return FALSE;
//
// second pass. set privilege based on previous setting
//
tpPrevious.PrivilegeCount
= 1;
tpPrevious.Privileges[0].Luid = luid;
if(bEnablePrivilege) {
tpPrevious.Privileges[0].Attributes |=
(SE_PRIVILEGE_ENABLED);
}
else {
tpPrevious.Privileges[0].Attributes ^=
(SE_PRIVILEGE_ENABLED &
tpPrevious.Privileges[0].Attributes);
}
AdjustTokenPrivileges(
hToken,
FALSE,
&tpPrevious,
cbPrevious,
NULL,
NULL
);
if (GetLastError() != ERROR_SUCCESS) return FALSE;
return TRUE;
}
void DisplayError(
LPTSTR szAPI // pointer to failed API name
)
{
LPTSTR MessageBuffer;
DWORD dwBufferLength;
fprintf(stderr,"%s() error!\n", szAPI);
if(dwBufferLength=FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
GetSystemDefaultLangID(),
(LPTSTR) &MessageBuffer, // FormatMessage가 실패하면 이 포인터 값은 null로 반환
0,
NULL
))
{
DWORD dwBytesWritten;
//
// Output message string on stderr
//
WriteFile(
GetStdHandle(STD_ERROR_HANDLE),
MessageBuffer,
dwBufferLength,
&dwBytesWritten,
NULL
);
//
// free the buffer allocated by the system
//
LocalFree(MessageBuffer); // LocalFree의 경우 내부적으로 null 체크를 하기 때문에, 전달한 포인터에 대한 사전 null 체크가 필요 없습니다.
}
}