Play Video
1
Privileged Identity and Access Management
Privileged Identity and Access Management
::2013/01/11::
Play Video
2
Restricting User Privileges Doesn
Restricting User Privileges Doesn't Make You a Bad Person...
::2014/06/03::
Play Video
3
A. C. "Mike" Markkula Jr. - "The Internet Is a Privilege"
A. C. "Mike" Markkula Jr. - "The Internet Is a Privilege"
::2013/04/19::
Play Video
4
Black Hat USA 2010: Elevation of Privilege: The Easy way to Threat Model 1/2
Black Hat USA 2010: Elevation of Privilege: The Easy way to Threat Model 1/2
::2010/09/18::
Play Video
5
Avecto privilege guard Solution
Avecto privilege guard Solution
::2012/09/11::
Play Video
6
Securing privileged identities with IBM Security Privileged Identity Management
Securing privileged identities with IBM Security Privileged Identity Management
::2012/11/16::
Play Video
7
AXA Privilege : Estate Tax Calculator
AXA Privilege : Estate Tax Calculator
::2013/09/05::
Play Video
8
Cyber-Ark
Cyber-Ark's Privileged Identity Management for Cloud Computing
::2010/12/21::
Play Video
9
Blackhat 2010 - Elevation of Privilege: The easy way to threat model
Blackhat 2010 - Elevation of Privilege: The easy way to threat model
::2013/02/22::
Play Video
10
Privilege Separation in HTML5 Applications
Privilege Separation in HTML5 Applications
::2012/08/28::
Play Video
11
Teaching creative computer science: Simon Peyton Jones at TEDxExeter
Teaching creative computer science: Simon Peyton Jones at TEDxExeter
::2014/04/29::
Play Video
12
Top 10 Reasons to Implement a Least Privilege Solution
Top 10 Reasons to Implement a Least Privilege Solution
::2011/04/06::
Play Video
13
AppSense Privilege Management (no sound)
AppSense Privilege Management (no sound)
::2014/05/09::
Play Video
14
How to Set Up and Configure Privilege Manager
How to Set Up and Configure Privilege Manager
::2012/09/04::
Play Video
15
Quest One - Privileged Account Management Simplified
Quest One - Privileged Account Management Simplified
::2012/07/18::
Play Video
16
Privilege Guard Acrchitecture
Privilege Guard Acrchitecture
::2012/03/18::
Play Video
17
Underground 16 - Windows Privilege Escalation
Underground 16 - Windows Privilege Escalation
::2010/07/15::
Play Video
18
The Challenges of Privilege Management
The Challenges of Privilege Management
::2012/12/03::
Play Video
19
Active Directory Password Reset Analysis Tool / Active Directory Privilege Escalation Analysis Tool
Active Directory Password Reset Analysis Tool / Active Directory Privilege Escalation Analysis Tool
::2012/04/19::
Play Video
20
Festa della donna @ Privilege
Festa della donna @ Privilege
::2012/03/09::
Play Video
21
AfdPoll Elevation of Privilege Vulnerability (CVE-2012-0148)
AfdPoll Elevation of Privilege Vulnerability (CVE-2012-0148)
::2011/12/29::
Play Video
22
Best Practices for Privileged Access Management
Best Practices for Privileged Access Management
::2014/05/21::
Play Video
23
Hacking Lesson - Server Enumeration & Escalating Privileges .
Hacking Lesson - Server Enumeration & Escalating Privileges .
::2012/08/04::
Play Video
24
03 Michael Berman clip1  - Cloud Slam
03 Michael Berman clip1 - Cloud Slam '09 - cloud computing conference
::2009/07/20::
Play Video
25
ABI - Gracehopper Celebration of Women in Computing India
ABI - Gracehopper Celebration of Women in Computing India
::2010/12/16::
Play Video
26
Computer Engineering a good major?
Computer Engineering a good major?
::2013/07/17::
Play Video
27
How BeyondTrust PowerBroker Desktops (formerly Privilege Manager) Works
How BeyondTrust PowerBroker Desktops (formerly Privilege Manager) Works
::2010/02/10::
Play Video
28
Research forum: Service value in a B2B context of cloud computing
Research forum: Service value in a B2B context of cloud computing
::2013/07/02::
Play Video
29
ITJGC02 Privilege Management Infrastructure for Virtual Organizations in Healthcare Grids
ITJGC02 Privilege Management Infrastructure for Virtual Organizations in Healthcare Grids
::2011/12/07::
Play Video
30
Oracle 12c PL/SQL Security New Features - Session 5 of 8 - The New Inherit Privileges Privilege
Oracle 12c PL/SQL Security New Features - Session 5 of 8 - The New Inherit Privileges Privilege
::2013/09/27::
Play Video
31
Privileged Access Management: Securing access to privileged accounts
Privileged Access Management: Securing access to privileged accounts
::2011/12/08::
Play Video
32
ACT TEACHERS PARTYLIST Rep. Antonio Tinio Privilege Speech: GSIS computerization problems
ACT TEACHERS PARTYLIST Rep. Antonio Tinio Privilege Speech: GSIS computerization problems
::2010/09/28::
Play Video
33
Maintaining Hard Disk Integrity With Digital Legal Professional Privilege (LPP) Data
Maintaining Hard Disk Integrity With Digital Legal Professional Privilege (LPP) Data
::2013/06/28::
Play Video
34
How to Provide Access to Windows Systems with Quest One Privileged Session Manager
How to Provide Access to Windows Systems with Quest One Privileged Session Manager
::2012/07/27::
Play Video
35
BAD ASS GUNS "OUR-RIGHTS" "NOT A PRIVILEGE"
BAD ASS GUNS "OUR-RIGHTS" "NOT A PRIVILEGE"
::2012/08/02::
Play Video
36
MCITP 70-640: Service Accounts
MCITP 70-640: Service Accounts
::2012/08/21::
Play Video
37
How to Grant Firecall Access using Quest One Privileged Password Manager
How to Grant Firecall Access using Quest One Privileged Password Manager
::2012/07/27::
Play Video
38
Game Plan Ecommerce Forum: Keynote speaker Jack Shaw - Part 2 - Mobile Computing
Game Plan Ecommerce Forum: Keynote speaker Jack Shaw - Part 2 - Mobile Computing
::2013/09/17::
Play Video
39
Parliament: Powers, Functions & Privileges by Dr. K.S. Chauhan, (LexisNexis 2013)
Parliament: Powers, Functions & Privileges by Dr. K.S. Chauhan, (LexisNexis 2013)
::2013/11/18::
Play Video
40
Security Myth Debunkers: Can People Manage Fine Grain Privileges?
Security Myth Debunkers: Can People Manage Fine Grain Privileges?
::2012/03/03::
Play Video
41
Timesharing First Point Privilege le vacanze a punti
Timesharing First Point Privilege le vacanze a punti
::2010/06/23::
Play Video
42
MCBA
MCBA's "Ethics and Practicing Law in the Age of Cloud Computing" program
::2014/05/28::
Play Video
43
How to Provide Pre-Approved Access with Quest One Privileged Password Manager
How to Provide Pre-Approved Access with Quest One Privileged Password Manager
::2012/07/27::
Play Video
44
Privileged Identities Explained
Privileged Identities Explained
::2010/09/17::
Play Video
45
6502 Retro Computer for Robotics
6502 Retro Computer for Robotics
::2014/07/20::
Play Video
46
Quest on the Board - Privileged Account Management
Quest on the Board - Privileged Account Management
::2011/10/02::
Play Video
47
Apple Seminar: Client/Server Computing (1992)
Apple Seminar: Client/Server Computing (1992)
::2013/09/05::
Play Video
48
Users, Groups and Permissions in Linux
Users, Groups and Permissions in Linux
::2011/02/17::
Play Video
49
2013 BCS award  goes to Anne-Marie Imafidon
2013 BCS award goes to Anne-Marie Imafidon
::2013/11/14::
Play Video
50
Prices; Part One
Prices; Part One
::2010/04/08::
NEXT >>
RESULTS [51 .. 101]
From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write permission to a socket for communicating over the Internet.

Users who have been delegated extra levels of control are called privileged. Users who lack most privileges are defined as unprivileged, regular, or normal users.

Theory[edit]

Privileges can either be automatic, granted, or applied for.

An automatic privilege exists when there is no requirement to have permission to perform an action. For example, on systems where people are required to log into a system to use it, logging out will not require a privilege. Systems that do not implement file protection - such as MS-DOS - essentially give unlimited privilege to perform any action on a file.

A granted privilege exists as a result of presenting some credential to the privilege granting authority. This is usually accomplished by logging on to a system with a username and password, and if the username and password supplied are correct, the user is granted additional privileges.

A privilege is applied for by either an executed program issuing a request for advanced privileges, or by running some program to apply for the additional privileges. An example of a user applying for additional privileges is provided by the sudo command to run a command as the root user, or by the Kerberos authentication system.

Modern processor architectures have multiple CPU modes that allows the OS to run at different privilege levels. Some processors have two levels (such as user and supervisor); i386+ processors have four levels (#0 with the most, #3 with the least privileges). Tasks are tagged with a privilege level. Resources (segments, pages, ports, etc.) and the privileged instructions are tagged with a demanded privilege level. When a task tries to use a resource, or execute a privileged instruction, the processor determines whether it has the permission (if not, a "protection fault" interrupt is generated). This prevents user tasks from damaging the OS or each other.

In computer programming, exceptions related to privileged instruction violations may be caused when an array has been accessed out of bounds or an invalid pointer has been dereferenced when the invalid memory location referenced is a privileged location, such as one controlling device input/output. This is particularly more likely to occur in programming languages such as C which use pointer arithmetic or do not check array bounds automatically.

Unix[edit]

On Unix-like systems, the superuser (commonly known as 'root') owns all the privileges. Ordinary users are granted only enough permissions to accomplish their most common tasks.UNIX system has built-in security features. Most users cannot set up a new user account nor do other administrative procedures. The user “root” is a special user, something called super-user, which can do anything at all on the system. This high degree power is necessary to fully administer a UNIX system, but it also allows its user to make a mistake and cause system problems. For this you should set up a personal account for yourself that does not have root privilege. Then, your normal, day-to-day activities will affect only your personal environment and you will be in no danger of causing system wide problems.

Unprivileged users usually cannot:

  • Adjust kernel options.
  • Modify system files, or files of other users.
  • Change the owner of any files.
  • Change the runlevel (on systems with System V-style initialization).
  • Adjust ulimits or disk quotas.
  • Start or stop daemons.
  • Signal processes of other users.
  • Create device nodes.
  • Create or remove users or groups.
  • Mount or unmount volumes, although it is becoming common to allow regular users to mount and unmount removable media, such as Compact Discs. This is typically accomplished via FUSE.
  • Execute the contents of any sbin/ directory, although it is becoming common to simply restrict the behavior of such programs when executed by regular users.
  • Bind ports below 1024.

Windows NT[edit]

On Windows NT-based systems, privileges are delegated in varying degrees. These delegations can be defined using the Local Security Policy Manager (SECPOL.MSC). The following is an abbreviated list of the default assignments:

  • 'NT AUTHORITY\System' is the closest equivalent to the Superuser on Unix-like systems. It has many of the privileges of a classic Unix superuser, such as being a trustee on every file created
  • 'Administrator' is one of the closest equivalents to the Superuser on Unix-like systems. However, this user cannot override as many of the operating system's protections as the Superuser can.
  • Members of the 'Administrators' group have privileges almost equal to 'Administrator'.
  • Members of the 'Power Users' group have the ability to install programs and backup the system.
  • Members of the 'Users' group are the equivalent to unprivileged users on Unix-like systems.

Windows defines a number of administrative privileges[1] which can be assigned individually to users and/or groups. An account (user) holds only the privileges granted to it, either directly or indirectly through group memberships. Upon installation a number of groups and accounts are created and privileges are granted to them. However, these grants can be changed at a later time or though a group policy. Unlike Linux, no privileges are implicitly or permanently granted to a specific account.

Some administrative privileges (e.g. taking ownership of or restoring arbitrary files) are so powerful that if used with malicious intent they could allow the entire system to be compromised. With user account control (on by default since Windows Vista) Windows will strip the user token of these privileges at login. Thus, if a user logs in with an account with broad system privileges, he/she will still not be running with these system privileges. Whenever the user wants to perform administrative actions requiring any of the system privileges he/she will have to do this from an elevated process. When launching an elevated process, the user is made aware that his/her administrative privileges are being asserted through a prompt requiring his/her consent. Not holding privileges until actually required is in keeping with the Principle of least privilege.

Elevated processes will run with the full privileges of the user, not the full privileges of the system. Even so, the privileges of the user may still be more than what is required for that particular process, thus not completely least privilege.

The DOS-based Windows ME, Windows 98, Windows 95, and previous versions of non-NT Windows only operated on the FAT filesystem and did not support filesystem permissions.,[2] and therefore privileges are effectively defeated on Windows NT-based systems that do not use the NTFS file system.

Nomenclature[edit]

The names used in the Windows source code end in either "Privilege" or "LogonRight". This has led to some confusion about what the full set of all these "Rights" and "Privileges" should be called.

Microsoft currently uses the term "User Rights".[3] In the past some other terms have also been used by Microsoft, such as "Privilege Rights" [4] , "logon user rights" [5] and "NT-Rights".[6]

See also[edit]

References[edit]

  1. ^ "Privilege Constants". Microsoft. 
  2. ^ "How Permissions Work". Microsoft. "You can set permissions at the file level only if the files are stored on an NTFS volume." 
  3. ^ "User Rights". Microsoft TechNet Library. "User rights include logon rights and privileges." 
  4. ^ "Privilege Rights". Microsoft MSDN Library. 
  5. ^ "How to set logon user rights by using the NTRights utility". Microsoft Support. "The following is a list of logon user rights [...] SeInteractiveLogonRight [...] SeDebugPrivilege" 
  6. ^ "How to set logon user rights by using the NTRights utility". Microsoft Support. "NTRights.Exe [...] Grants/Revokes NT-Rights [...] valid NTRights are: SeCreateTokenPrivilege" 
Wikipedia content is licensed under the GFDL License
Powered by YouTube
LEGAL
  • Mashpedia © 2014