Jump to content

Will I see any benefit adjusting token privileges?


GrofLuigi

Recommended Posts

*Edit: I'm moviing the text to the top because the stupid forum software ate it after the table.

While I remember on XP/Win2003 most of them were enabled and there was a slight benefit enabling those that weren't (granting lock pages in memory right or debugprivilege)... I forgot most of it already.

Of course I'll try enabling most of them, if not all, because I hate artificial restrictions Microsoft is putting to restrict the way how I use my computer, even if I won't see any benefit. The real question is: Will it break something? Common sense says it shouldn't, but I wouldn't be surprised if Microsoft has put artificial blockades just to make our life miserable.

While I'm at it, I might grant system/trusted installer some more rights if they lack some, because I'm generous.

I have armed myself with NTrights (reports say it still works on Win7 x64), as well as with few powershell scripts... Wish me luck.

The output of whoami /priv:

	
PRIVILEGES INFORMATION
----------------------
Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

Edited by GrofLuigi
Link to comment
Share on other sites


Well, it seems that whoami /priv doesn't tell the whole truth, it disregards the privileges that are part of the group (administrators) and are in fact enabled for the account.

Out of the three PowerShell scripts I found, two were intended for processes, and the third one requires newer version of PowerShell than the one that is in Win7 SP1, so I'm putting that on hold for now.

I've turned my attention fully to good old ntrights, but how to check the privileges if whoami is inaccurate? Well, in the same Resource tools kit for Server2003 there is showpriv.exe. I've parsed the output of both to textfile, sorted it and deleted the crud, so I'm left with the list of privileges. Now only to compare. But no two lists are the same (including whoami's and the output of accesschk.exe), and I've also read that ntrights has some undocumented privileges, so everything needs to be tripple-checked.

So far, it doesn't seem promising, at least for the Administrator account (yeah, I've been using that one since day one of Windows install :D), there isn't much left to do.


* After several edits: the forum editor is disastrous, it is impossible to bold something (I've done it manually), and paste doesn't paste at the cursor position.
 

Edited by GrofLuigi
Link to comment
Share on other sites

2 hours ago, GrofLuigi said:

* After several edits: the forum editor is disastrous, it is impossible to bold something (I've done it manually), and paste doesn't paste at the cursor position.

Not always: it depends on the browser and on the browser version, so that it's somewhat less crappy on FF 49+ and quite bad on IE up to 9. The older versions, which did implement BBCode right was way much better than this lame duck we're now stuck with, however 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...