Act as part of the operating system
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Description
This policy allows a process to authenticate as any user, and therefore gain access to the same resources as any user. Only low-level authentication services should require this privilege.
Potential access is not limited to the default user associations, because the calling process might request that arbitrary additional access permissions be put in the access token. A greater concern is that the calling process can build an anonymous token that can provide any and all access permissions. In addition, the anonymous token does not provide a primary identity for tracking events in the audit log.
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
Default: Local System.
For more information, see:
| • |
