Privilege (computing) - Windows NT

Windows NT

On Windows NT-based systems, privileges are delegated in varying degrees. These delegations can be defined using the Local Security Policy Manager (SECPOL.MSC). The following is an abbreviated list of the default assignments:

• 'NT AUTHORITY\System' is the closest equivalent to the Superuser on Unix-like systems. It has many of the privileges of a classic Unix superuser, such as being a trustee on every file created
• 'Administrator' is one of the closest equivalents to the Superuser on Unix-like systems. However, this user cannot override as many of the operating system's protections as the Superuser can.
• Members of the 'Administrators' group have privileges almost equal to 'Administrator'.
• Members of the 'Power Users' group have the ability to install programs and backup the system.
• Members of the 'Users' group are the equivalent to unprivileged users on Unix-like systems.

Windows defines a number of administrative privileges which can be assigned individually to users and/or groups. An account (user) holds only the privileges granted to it, either directly or indirectly through group memberships. Upon installation a number of groups and accounts are created and privileges are granted to them. However, these grants can be changed at a later time or though a group policy. Unlike Linux, no privileges are implicitly or permanently granted to a specific account.

Some administrative privileges (e.g. taking ownership of or restoring arbitrary files) are so powerful that if used with malicious intent they could allow the entire system to be compromised. With user account control (on by default since Windows Vista) Windows will strip the user token of these privileges at login. Thus, if a user logs in with an account with broad system privileges, he/she will still not be running with these system privileges. Whenever the user wants to perform administrative actions requiring any of the system privileges he/she will have to do this from an elevated process. When launching an elevated process, the user is made aware that his/her administrative privileges are being asserted through a prompt requiring his/her consent. Not holding privileges until actually required is in keeping with the Principle of least privilege.

Elevated processes will run with the full privileges of the user, not the full privileges of the system. Even so, the privileges of the user may still be more than what is required for that particular process, thus not completely least privilege.

The DOS based Windows ME, Windows 98, Windows 95, and previous versions of non-NT Windows only operated on the FAT filesystem and did not support filesystem permissions., and therefore privileges are effectively defeated on Windows NT-based systems that do not use the NTFS file system.