Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 01. Operating Systems / Windows / 03. Privileges & Integrity Levels

Privileges & Integrity Levels

Not all users possess the same capabilities.

For example:

Alice

may be able to:

  • Read files
  • Browse the Internet
  • Run applications

while:

Administrator

may additionally:

  • Install software
  • Create users
  • Modify security settings
  • Control services

Windows uses:

  • User accounts
  • Group memberships
  • Permissions (ACLs)
  • Privileges
  • Integrity levels

to enforce access control.


Why This Matters

Many security activities ultimately involve obtaining additional capabilities.

Examples:

ActivityGoal
AdministrationGain required access
Privilege EscalationGain additional access
MalwareIncrease capabilities
Incident ResponseDetermine capabilities
Threat HuntingIdentify abuse
Digital ForensicsReconstruct actions

Permissions vs Privileges

These concepts are often confused.

Permissions answer:

Can I access this object?

Examples:

  • File access
  • Registry access
  • Directory access

Privileges answer:

Can I perform this action?

Examples:

  • Shut down the system
  • Debug processes
  • Load drivers
  • Back up files

Conceptually:

Permission    
	↓
Object Access
Privilege    
	↓
System Capability

User Context

Every process executes within a security context.

Example:

explorer.exe    
↓
Alice
services.exe    
↓
SYSTEM

The capabilities available to a process depend on the identity under which it executes.


Administrative Access

Administrators possess significantly more capabilities than standard users.

Example:

Users    
	↓
Limited Access
Administrators    
	↓
Elevated Access

This distinction forms the basis of many privilege escalation attacks.


Common Privileges

Windows defines many privileges.

Examples include:

PrivilegePurpose
SeShutdownPrivilegeShut down system
SeBackupPrivilegeRead files during backup
SeRestorePrivilegeRestore files
SeDebugPrivilegeAccess other processes
SeImpersonatePrivilegeImpersonate identities
SeTakeOwnershipPrivilegeTake ownership of objects

Most users possess very few privileges.

Administrative accounts possess more.


Viewing Privileges

Common command:

whoami /priv

Example:

PS C:\WINDOWS\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

Integrity Levels

Windows also uses integrity levels.

Integrity levels help restrict what processes may modify.

Levels include:

Low 
↓
Medium 
↓
High 
↓
System

Higher integrity levels generally possess greater authority.

Integrity levels help prevent lower-trust processes from modifying higher-trust processes and objects.


Medium Integrity

Most user applications execute at:

Medium Integrity

Examples:

notepad.exe
chrome.exe
explorer.exe

This is the normal user context.


High Integrity

Administrative applications commonly execute at:

High Integrity

Examples:

Administrator PowerShell
Administrator Command Prompt

These processes possess elevated administrative capabilities.


System Integrity

Windows itself commonly executes critical processes at:

System Integrity

Examples:

lsass.exe
wininit.exe
services.exe

These processes are among the most privileged on the system.


User Account Control (UAC)

Modern Windows systems attempt to reduce unnecessary administrative activity.

This mechanism is known as:

User Account Control (UAC)

Example:

Run as Administrator        
	↓
UAC Prompt        
	↓
Approval Required

This helps separate normal activity from elevated activity.

The UAC prompt requires user approval before a process can execute with elevated privileges.

Depending on configuration and account type, this may involve:

  • Clicking Allow
  • Entering administrative credentials

Microsoft does not consider UAC to be a security boundary. Nevertheless, it is a practical obstacle that frequently requires bypassing. UAC bypass techniques are commonly encountered during offensive operations and will be explored in later modules.


Viewing Integrity Levels

Example:

whoami /groups

Output commonly includes:

Mandatory Label\Medium Mandatory Level

or:

Mandatory Label\High Mandatory Level

This indicates the integrity level of the current process.

Example:

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID                                            Attributes                                  
============================================================= ================ ============================================== ==================================================
Everyone                                                      Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                      Group used for deny only                 
BUILTIN\Administrators                                        Alias            S-1-5-32-544                                   Group used for deny only                    
BUILTIN\Performance Log Users                                 Alias            S-1-5-32-559                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192 

Operator Perspective

When approaching an unfamiliar Windows system, Operators typically ask:

Identity

  • Which user am I?
  • Am I a local user?
  • Am I a domain user?

Privileges

  • Which privileges are assigned?
  • Which privileges are enabled?

Elevation

  • Am I an administrator?
  • Am I running elevated?

Integrity

  • Am I Low, Medium, High, or System?

Security

  • Can privileges be abused?
  • Are dangerous privileges assigned unnecessarily?
  • Is privilege escalation possible?

Many privilege escalation paths begin with these questions.


Key Takeaways

  • Permissions and privileges are different concepts.
  • Permissions control access to objects.
  • Privileges control access to actions.
  • Administrative users possess additional capabilities.
  • Processes execute within a specific security context.
  • Windows uses integrity levels to separate trust boundaries.
  • Common integrity levels include Low, Medium, High, and System.
  • UAC helps separate normal activity from elevated activity.
  • Privileges are commonly inspected during investigations and privilege escalation.
  • Understanding privileges is essential for both offensive and defensive operations.

The next lesson explores Processes and how Windows executes programs.