Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
4.4.2.8 Bypass traverse checking<br />
sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-32-544<br />
The ‘sechangenotifyprivilege’ grants the right to bypass traverse checking in NTFS file systems<br />
and the Registry. This policy grants rights to Users, Backup Operators, Administrators, and<br />
authenticated users.<br />
4.4.2.9 Change the system time<br />
sesystemtimeprivilege = *S-1-5-32-544<br />
The ‘sesystemtimeprivilege’ grants the right to change the system time. This policy grants rights<br />
to Administrators. The system time is critical in incident investigation. Without a consistent time,<br />
it is difficult to co-relate events on multiple systems.<br />
4.4.2.10 Create a pagefile<br />
secreatepagefileprivilege = *S-1-5-32-544<br />
The ‘secreatepagefileprivilege’ grants the right to create a page file. This policy grants rights to<br />
Administrators. Too large a page file can cause poor system performance. Restricting this to<br />
Administrators reduces the exposure to trusted individuals.<br />
4.4.2.11 Create a token object<br />
secreatetokenprivilege =<br />
The ‘secreatetokenprivilege’ grants the right to create local security token objects. The privilege<br />
gives the ability to create or modify Access Tokens. This policy does not grant rights to anyone.<br />
This can prevent privilege escalation attacks and DoS conditions.<br />
4.4.2.12 Create global objects<br />
secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544<br />
The ‘secreateglobalprivilege’ grants the right to create objects available to all sessions. This<br />
policy grants rights to Administrators and the SERVICE account. It can be used to affect other<br />
user’s processes.<br />
4.4.2.13 Create permanent shared objects<br />
secreatepermanentprivilege =<br />
The ‘secreatepermanentprivilege’ grants the right to create shared objects (folders, printers).<br />
Users with this privilege could expose sensitive data to the network by creating a shared object.<br />
Only members of the Administrators group can create permanent shared objects.<br />
<strong>Server</strong> Policy Files March 2004 51