Act as part of the operating system

Information

Act as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default: None.

Solution

Policy Path: User Rights Assignments
Policy Setting Name: Act as part of the operating system

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7)(b), CSCv6|5.1

Plugin: Windows

Control ID: 2a01ab44e536b4f3b7f62041d4298d5746ff63ac33b671d65912b708259d3ac4