Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
4.4.2.31 Perform volume maintenance tasks<br />
semanagevolumeprivilege = *S-1-5-32-544<br />
The ‘semanagevolumeprivilege’ grants rights to manage volumes or disks. This policy grants<br />
rights to Administrators only. The administrative function of volume and disk management can<br />
damage user data on a disk. Restricting this privilege reduces the threat.<br />
4.4.2.32 Profile single process<br />
seprofilesingleprocessprivilege = *S-1-5-32-544<br />
The ‘seprofilesingleprocessprivilege’ grants the right to monitor performance of a non-system<br />
process. This policy grants these rights to Administrators. The ability to profile a process can<br />
provide information to be used as a basis of an attack. Limiting privileges to Administrators<br />
reduces this threat.<br />
4.4.2.33 Profile system performance<br />
sesystemprofileprivilege = *S-1-5-32-544<br />
The ‘sesystemprofileprivilege’ grants the right to monitor performance of a system process. This<br />
policy grants these rights to Administrators only. Profiling a system gathers information useful<br />
for an attack. Limiting privileges to Administrators reduces this threat.<br />
4.4.2.34 Remove computer from docking station<br />
seundockprivilege = *S-1-5-32-544<br />
The ‘seundockprivilege’ grants the right to undock the server. This policy grants these privileges<br />
to Administrators only. As a preventive measure, these privileges are restricted.<br />
4.4.2.35 Replace a process level token<br />
seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20<br />
The ‘seassignprimarytokenprivilege’ grants the right to replace a process security token of a<br />
child process. These rights are ganted to Local Service and Network Service. This can be used to<br />
launch processes as another user, providing the ability to hide inappropriate activity on a system.<br />
4.4.2.36 Restore files and directories<br />
serestoreprivilege = *S-1-5-32-544<br />
The ‘serestoreprivilege’ grants the right to bypass permissions when restoring objects. This<br />
policy grants privileges to Administrators only. Due to the nature of the restore process, rights<br />
are restricted to accounts that are required to use it.<br />
<strong>Server</strong> Policy Files March 2004 55