Not all users possess the same capabilities.
For example:
Alice
may be able to:
- Read files
- Browse the Internet
- Run applications
while:
Administrator
may additionally:
- Install software
- Create users
- Modify security settings
- Control services
Windows uses:
- User accounts
- Group memberships
- Permissions (ACLs)
- Privileges
- Integrity levels
to enforce access control.
Why This Matters
Many security activities ultimately involve obtaining additional capabilities.
Examples:
| Activity | Goal |
|---|---|
| Administration | Gain required access |
| Privilege Escalation | Gain additional access |
| Malware | Increase capabilities |
| Incident Response | Determine capabilities |
| Threat Hunting | Identify abuse |
| Digital Forensics | Reconstruct actions |
Permissions vs Privileges
These concepts are often confused.
Permissions answer:
Can I access this object?
Examples:
- File access
- Registry access
- Directory access
Privileges answer:
Can I perform this action?
Examples:
- Shut down the system
- Debug processes
- Load drivers
- Back up files
Conceptually:
Permission
↓
Object Access
Privilege
↓
System Capability
User Context
Every process executes within a security context.
Example:
explorer.exe
↓
Alice
services.exe
↓
SYSTEM
The capabilities available to a process depend on the identity under which it executes.
Administrative Access
Administrators possess significantly more capabilities than standard users.
Example:
Users
↓
Limited Access
Administrators
↓
Elevated Access
This distinction forms the basis of many privilege escalation attacks.
Common Privileges
Windows defines many privileges.
Examples include:
| Privilege | Purpose |
|---|---|
| SeShutdownPrivilege | Shut down system |
| SeBackupPrivilege | Read files during backup |
| SeRestorePrivilege | Restore files |
| SeDebugPrivilege | Access other processes |
| SeImpersonatePrivilege | Impersonate identities |
| SeTakeOwnershipPrivilege | Take ownership of objects |
Most users possess very few privileges.
Administrative accounts possess more.
Viewing Privileges
Common command:
whoami /priv
Example:
PS C:\WINDOWS\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
Integrity Levels
Windows also uses integrity levels.
Integrity levels help restrict what processes may modify.
Levels include:
Low
↓
Medium
↓
High
↓
System
Higher integrity levels generally possess greater authority.
Integrity levels help prevent lower-trust processes from modifying higher-trust processes and objects.
Medium Integrity
Most user applications execute at:
Medium Integrity
Examples:
notepad.exe
chrome.exe
explorer.exe
This is the normal user context.
High Integrity
Administrative applications commonly execute at:
High Integrity
Examples:
Administrator PowerShell
Administrator Command Prompt
These processes possess elevated administrative capabilities.
System Integrity
Windows itself commonly executes critical processes at:
System Integrity
Examples:
lsass.exe
wininit.exe
services.exe
These processes are among the most privileged on the system.
User Account Control (UAC)
Modern Windows systems attempt to reduce unnecessary administrative activity.
This mechanism is known as:
User Account Control (UAC)
Example:
Run as Administrator
↓
UAC Prompt
↓
Approval Required
This helps separate normal activity from elevated activity.
The UAC prompt requires user approval before a process can execute with elevated privileges.
Depending on configuration and account type, this may involve:
- Clicking Allow
- Entering administrative credentials
Microsoft does not consider UAC to be a security boundary. Nevertheless, it is a practical obstacle that frequently requires bypassing. UAC bypass techniques are commonly encountered during offensive operations and will be explored in later modules.
Viewing Integrity Levels
Example:
whoami /groups
Output commonly includes:
Mandatory Label\Medium Mandatory Level
or:
Mandatory Label\High Mandatory Level
This indicates the integrity level of the current process.
Example:
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Operator Perspective
When approaching an unfamiliar Windows system, Operators typically ask:
Identity
- Which user am I?
- Am I a local user?
- Am I a domain user?
Privileges
- Which privileges are assigned?
- Which privileges are enabled?
Elevation
- Am I an administrator?
- Am I running elevated?
Integrity
- Am I Low, Medium, High, or System?
Security
- Can privileges be abused?
- Are dangerous privileges assigned unnecessarily?
- Is privilege escalation possible?
Many privilege escalation paths begin with these questions.
Key Takeaways
- Permissions and privileges are different concepts.
- Permissions control access to objects.
- Privileges control access to actions.
- Administrative users possess additional capabilities.
- Processes execute within a specific security context.
- Windows uses integrity levels to separate trust boundaries.
- Common integrity levels include Low, Medium, High, and System.
- UAC helps separate normal activity from elevated activity.
- Privileges are commonly inspected during investigations and privilege escalation.
- Understanding privileges is essential for both offensive and defensive operations.
The next lesson explores Processes and how Windows executes programs.