Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Act As Part of Operating System

Posted on 2013-11-07
11
Medium Priority
?
1,170 Views
Last Modified: 2015-06-23
We need to install an application that requires changes to the windows server (file/apps) user rights policies...  We need to add the user GROUPS to "Act as part of the operating system" and "Take ownership of files or other objects"... Unfortunately software vendor won't help us much on this.

Have you made this changes in your enviroment? What are the pre-cautions we need to take and what are risks associated with this? Any workaround for this?

I am reading MS notes..
1) Act as part of the operating system: This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users.

2) Take ownership of files or other objects: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
0
Comment
Question by:Mike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39631831
This is not something I would allow..

Can they not use the local system account.

Or as a work around create one domain user account and add that account to all of your workstations local administrator group, also allow this account to logon as service right..

It should not need more permissions than that.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39631860
Is this a single user account named "Groups" or a group of user accounts - I can quite tell from your description?  Obviously this is not something you'd want to do unless there's absolutely no way around it.  If it's a single account that needs to have these rights on the server itself, then I'd say at the very least that you should create this account with the lowest level of file or other server-level permissions possible, and give it a very complex password, so that it's not easily hackable (or memorizable).  

Also, you would want to secure this server so that it's not accessible except by those users who have to run this application.
0
 

Author Comment

by:Mike
ID: 39639903
Software vendor asking to
1) grant Applicaton-End-Users NT group (e.g. endUsersGroup) to "Act as part of the
operating system"

2) grant Application-Admin-Users NT group (e.g. adminUsersGroup) to both  "Act as part of the
operating system" and "Take ownership of files or other objects"

Just to clarify myself; what exactly these two does.. For example if I grant a user to "Act as part of the
operating system" or "Take ownership of files or other objects" user rights?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39639932
Go to a command prompt and type "gpedit.msc" to open the group policy console.  Then navigate to the Computer Configuration/Windows Settings/Security Settings/User Rights Assignment.  Double-click to open the dialog box for the "Act as part of the operating system" (or any other) right, and look at the Explain tab.  This will tell you what that right does.
0
 

Author Comment

by:Mike
ID: 39640762
hypercat,  I am looking for a possible and better/more secure workaround. Trying to see if anyone came across this and how they handled it.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 1600 total points
ID: 39641674
I work with a LOT of 3rd party software.  Often the requirements of the vendors are objectionable, but the problem is that also often they won't support or warranty in any way the performance of the software unless you follow their rules exactly.  

In a perfect world, the way you would handle this would be to put the vendor's software on a separate member server on your domain and follow their requirements.  Make the groups "EndUsersGroup" and "AdminUsersGroup" local groups on the member server with no rights or access to anything else on your domain, again so that the groups have rights only on that one server and exposure is limited to that one server at least. I hope that you're able to do this, as it's really the only sure way to work with the vendor and provide your users with the software they need.

You might also try to find out if the vendor provides access to any forums or discussion groups with other users of that software. Often this will give you access to experienced admins who have worked through this issue with this particular software and might have suggestions to offer.  It is really impossible for anyone to suggest a workaround for you who hasn't worked with this particular software package.
0
 

Author Comment

by:Mike
ID: 39644855
Thanks hypercat. This could be a good workaround, if I don't get any other options from vendor.

From Microsoft technet "If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext."  

Since we are moving from Windows 2000 client/server to Windows 7 & 2008; I am trying to find out from Vendor if this still required in Windows 2008 and if the application support Windows 2008.

What has changed in Windows 2008/2003 from 2000 related to "Act as part of the operating system"?
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39645082
I couldn't say exactly what might have changed.  It's most likely authentication protocols and the method by which passwords are exchanged within the system.  I'm not enough of a security geek to know exactly how this might have changed between the Windows 2000 and Windows 2003/2008 operating systems.  I know, however, that there have been significant changes in general in security and how authentication protocols are used.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39645102
Further, I can say that I know that passwords are not exchanged in plain text within a Windows 7/Windows 2008 domain. Windows 2008 stores all its known passwords (i.e., AD user passwords) in hashed format.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40845789
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question