Re: List of privileges for the Administrators group
- From: why2jjj <why2jjj@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 12:38:01 -0700
Specifically what I am looking for is the privilege/service that allows read
and write access to \\.\PhysicalDrive0 when and HANDLE is trying to be opened
with the CreateFile() method.
I know if a program that tries to open a handle to \\.\PhysicalDrive0 with a
CreateFile() call is run in an 'Administrators' group it will succeed. I
know if that same program is run in any other build-in group permissions it
will fail. I want to know what service/privilege allows this case to succeed
so the program can be run by a user without needing the full-blown
'Administrators' permissions. I am hoping this is just one
permission/privilege/service and not a combination, which I would have
trouble figuring out.
Thanks.
"Skywing" wrote:
Well, keep in mind that this list of privileges does change:.
1. New privileges are sometimes released with OS updates and/or new OS
releases. For instance the SeCreateGlobalPrivilege was introduced in
Win2KSP2 and is given to administrators by default on that platform (or
better), but doesn't exist on Win2KSP0 or NT4.
2. End users are free to alter the permissions given to the administrators
group via group policy or the local security policy snapin.
What exactly are you trying to accomplish here? If you're writing a program
that needs to know if it has a particular privilege or not, it is better to
just test for that actual privilege and not assume it based on the group
name. If you're an administrator looking for default settings for the
administrators group, these are the default for a Windows XP computer (keep
in mind that these may not always be the same for the reasons mentioned
above):
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled
Default
01 0x000000008 SeSecurityPrivilege Attributes -
02 0x000000011 SeBackupPrivilege Attributes -
03 0x000000012 SeRestorePrivilege Attributes -
04 0x00000000c SeSystemtimePrivilege Attributes -
05 0x000000013 SeShutdownPrivilege Attributes -
06 0x000000018 SeRemoteShutdownPrivilege Attributes -
07 0x000000009 SeTakeOwnershipPrivilege Attributes -
08 0x000000014 SeDebugPrivilege Attributes -
09 0x000000016 SeSystemEnvironmentPrivilege Attributes -
10 0x00000000b SeSystemProfilePrivilege Attributes -
11 0x00000000d SeProfileSingleProcessPrivilege Attributes -
12 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
13 0x00000000a SeLoadDriverPrivilege Attributes -
14 0x00000000f SeCreatePagefilePrivilege Attributes -
15 0x000000005 SeIncreaseQuotaPrivilege Attributes -
16 0x000000019 SeUndockPrivilege Attributes -
17 0x00000001c SeManageVolumePrivilege Attributes -
18 0x000000002 SeCreateTokenPrivilege Attributes -
19 0x000000003 SeAssignPrimaryTokenPrivilege Attributes -
20 0x00000001e Unknown Privilege Attributes - Enabled
Default
21 0x00000001d SeImpersonatePrivilege Attributes - Enabled
Default
0x1e is SeCreateGlobalPrivilege.
The Power Users group is somewhere in between Administrators and Users, but
in reality, a clever user with Power User privileges can trivially elevate
themselves to Administrator-level privileges - so I would assume that anyone
with Power User rights is approximately the same as admin.
"why2jjj" <why2jjj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5164DD63-6A6F-4542-BA97-E4BF7F6EAF70@xxxxxxxxxxxxxxxx
Thanks for the tips. I was kind-of hoping it would be more simple than
this.
Like, since 'Administrators' is a built-in Windows OS group, there would
be
a book or website or some selection within the Windows OS that lists what
permissions make up the 'Administrators' gorup.
"Kellie Fitton" wrote:
Hi,
You need to obtain a SID (security identifier) for the specified
user account, and the name of the domain on which the account was
found, and make sure to use fully qualified account names, then
use the following APIs to enumerate the user's privileges:
SecureZeroMemory() initialize LSA_OBJECT_ATTRIBUTES,
MultiByteToWideChar()
LsaOpenPolicy()
LookupAccountName()
LsaEnumerateAccountRights()
LsaFreeMemory()
LsaClose()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/securezeromemory.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/intl/unicode_17si.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/lsaopenpolicy.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountname.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaenumerateaccountrights.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsafreememory.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaclose.asp
Hope these suggestions helps,
Kellie.
- Follow-Ups:
- Re: List of privileges for the Administrators group
- From: Skywing
- Re: List of privileges for the Administrators group
- References:
- Re: List of privileges for the Administrators group
- From: Skywing
- Re: List of privileges for the Administrators group
- Prev by Date: Re: padding and buffer size for Cryptoapi CryptEncrypt()
- Next by Date: Re: List of privileges for the Administrators group
- Previous by thread: Re: List of privileges for the Administrators group
- Next by thread: Re: List of privileges for the Administrators group
- Index(es):
Relevant Pages
|
