From 3eda816af590c06b57e101c2dd4afbddd8c6cbb2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 19 Dec 2018 12:06:45 -0800 Subject: [PATCH] added Administrator recommendation for SeDebugPrivilege --- windows/security/threat-protection/auditing/event-4672.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index e31ecb598c..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | | SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |