Rights and Privileges in Windows

Windows has several groups that give members significant rights and privileges, which can be exploited to escalate privileges on standalone Windows hosts and within Active Directory domains.

Ultimately, these privileges can be used to gain Domain Admin, local administrator, or SYSTEM privileges on a Windows workstation, server, or Domain Controller (DC).

Rights and Privileges in Windows

GroupDescription
Default AdministratorsDomain Admins and Enterprise Admins are "super" groups.
Server OperatorsMembers can modify services, access SMB shares, and backup files.
Backup OperatorsMembers are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.
Print OperatorsMembers can log on to DCs locally and "trick" Windows into loading a malicious driver.
Hyper-V AdministratorsIf there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.
Account OperatorsMembers can modify non-protected accounts and groups in the domain.
Remote Desktop UsersMembers are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.
Remote Management UsersMembers can log on to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).
Group Policy Creator OwnersMembers can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.
Schema AdminsMembers can modify the Active Directory schema structure and backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.
DNS AdminsMembers can load a DLL on a DC, but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.

User Rights Assignment

SettingConstantSetting NameStandard AssignmentDescription
SeNetworkLogonRightAccess this computer from the networkAdministrators, Authenticated UsersDetermines which users can connect to the device from the network. This is required by network protocols such as SMB, NetBIOS, CIFS, and COM+.
SeRemoteInteractiveLogonRightAllow log on through Remote Desktop ServicesAdministrators, Remote Desktop UsersThis policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
SeBackupPrivilegeBack up files and directoriesAdministratorsThis user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
SeSecurityPrivilegeManage auditing and security logAdministratorsThis policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.
SeTakeOwnershipPrivilegeTake ownership of files or other objectsAdministratorsThis policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
SeDebugPrivilegeDebug programsAdministratorsThis policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.
SeImpersonatePrivilegeImpersonate a client after authenticationAdministrators, Local Service, Network Service, ServiceThis policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.
SeLoadDriverPrivilegeLoad and unload device driversAdministratorsThis policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
SeRestorePrivilegeRestore files and directoriesAdministratorsThis security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.

Conclusion

In conclusion, understanding the various groups and their associated rights and privileges in Windows is crucial for maintaining security within standalone Windows hosts and Active Directory domains.

These groups, ranging from Default Administrators to DNS Admins, possess significant capabilities that, if exploited, can lead to elevated privileges such as Domain Admin, local administrator, or SYSTEM privileges.

Properly managing and monitoring these groups can help prevent unauthorized access and potential security breaches, ensuring a more secure and robust Windows environment.

https://4sysops.com/archives/user-rights-assignment-in-windows-server-2016/