With over 35 user rights to choose from and configure on each and every Windows server, it’s important to pick those that have the highest impact and effect if compromised. First, you need to get the listing of user rights from each server. There are a few options, but an ideal solution is to run “secpol.msc” from the Run menu. You will then be presented with the local security policy, as shown in Figure 1.
Figure 1. Local security policy from running “secpol.msc.”
As you can see in Figure 1, if you expand the window to Security Settings – Local Policies – User Rights Assignment, you can view all of the user rights that are configured on the server. If you want to save the settings to a file, you can just right-click on the User Rights Assignment node, and then select Export List.
My experience has shown that all of the user rights are important, but those included in the list below seem to have the most impact on the server, if compromised:
-
Shut down the system.
-
Force shutdown of remote system.
-
Log on as a batch job.
-
Log on as a service.
-
Log on locally.
-
Act as part of the OS.
-
Backup and Restore files and directories.
-
Enable trusted for delegation.
-
Generate security audits.
-
Load and unload device drivers.
-
Manage auditing and security log.
-
Replace process level token.
-
Synchronize directory service data.
-
Take ownership of files and other objects.
After you have verified that each and every user right configuration is correct on each server, you have established a security baseline for user rights. Now, you only need to monitor and set alerts for your high profile servers.
