Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.4.2.25 Load and unload device drivers<br />
seloaddriverprivilege = *S-1-5-32-544<br />
The ‘seloaddriverprivilege’ grants the right to load and unload device drivers. This policy grants<br />
privileges to Administrators. The driver code is run with elevated privileges. By restricting<br />
privileges to Administrators, the exposure is reduced.<br />
4.4.2.26 Lock pages in memory<br />
selockmemoryprivilege =<br />
The ‘selockmemoryprivilege’ grants the right to keep data in physical memory. This policy<br />
grants privileges to no one. The abuse of privileges can result in starved memory resources and a<br />
DoS situation. Restricting this privilege reduces exposure to this threat.<br />
4.4.2.27 Log on as a batch job<br />
sebatchlogonright =<br />
The ‘sebatchlogonright’ grants the right to submit batch jobs (log on as a batch job). This policy<br />
grants rights to noone. The Task Scheduler could cause a DoS; limiting this privilege reduces the<br />
threat.<br />
4.4.2.28 Log on as a service<br />
seservicelogonright = *S-1-5-20,*S-1-5-19<br />
The ‘seservicelogonright’ grants the right to logon as a service. This policy grants rights to Local<br />
Service and Network Service. Interactive accounts are purposely excluded.<br />
4.4.2.29 Manage auditing and security log<br />
sesecurityprivilege = *S-1-5-32-544<br />
The ‘sesecurityprivilege’ grants the right to specify object access auditing options. This policy<br />
grants rights to Administrators. Administrators alone can determine the appropriate auditing<br />
level. This ensures that users of the system cannot reduce auditing and eliminate traces of their<br />
activity.<br />
4.4.2.30 Modify firmware environment values<br />
sesystemenvironmentprivilege = *S-1-5-32-544<br />
The ‘sesystemenvironmentprivilege’ grants rights to modify firmware environment values. This<br />
policy grants these rights to Administrators only. The ability to change system configurations<br />
needs to be controlled.<br />
54 March 2004 <strong>Server</strong> Policy Files