Act As Part of Operating System
Posted on 2013-11-07
We need to install an application that requires changes to the windows server (file/apps) user rights policies... We need to add the user GROUPS to "Act as part of the operating system" and "Take ownership of files or other objects"... Unfortunately software vendor won't help us much on this.
Have you made this changes in your enviroment? What are the pre-cautions we need to take and what are risks associated with this? Any workaround for this?
I am reading MS notes..
1) Act as part of the operating system: This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.
Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users.
2) Take ownership of files or other objects: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.