A privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time. Privileges differ from access rights in two ways:
- Privileges control access to system resources and system-related tasks, whereas access rights control access to securable objects.
- A system administrator assigns privileges to user and group accounts, whereas the system grants or denies access to a securable object based on the access rights granted in the ACEs in the object's DACL.
特权是一个账户在本地计算机执行系统相关操作的权利,这些账户可以是用户账户或者组账户,这些操作有关闭系统、加载设备驱动或者更改系统时间。特权与访问权的区别在两个方面:
- 特权控制对系统资源和系统相关任务的访问,访问权控制对安全对象的访问
- 系统管理员将特权指派给用户账户和组账户,系统根据对象自主访问控制列表中的ACE来赋予或者拒绝对安全对象的访问
(特权就像自主访问控制的CL,访问权限就像ACL)
Each system has an account database that stores the privileges held by user and group accounts. When a user logs on, the system produces an access token that contains a list of the user's privileges, including those granted to the user or to groups to which the user belongs. Note that the privileges apply only to the local computer; a domain account can have different privileges on different computers.
(每个系统都拥有一个存储用户和组用户特权的账户数据库。当用户登录系统时,系统会生成一个包含用户特权列表的访问令牌,这些特权包括赋予该用户的和赋予该用户所属的组。注意,特权只适用于本地计算机;一个域名账户在不同计算机拥有不同的特权。)
When the user tries to perform a privileged operation, the system checks the user's access token to determine whether the user holds the necessary privileges, and if so, it checks whether the privileges are enabled. If the user fails these tests, the system does not perform the operation.
(当用户试图执行一个需要特权的操作时,系统将检查用户的访问令牌来判断用户是否具备必要的特权,如果拥有,系统将继续检查该特权是否已经开启。如果用户没有通过这些检查,系统将不会执行这些操作。)
To determine the privileges held in an access token, call the GetTokenInformation function, which also indicates which privileges are enabled. Most privileges are disabled by default.
(调用GetTokenInformation函数可以确定访问令牌中的特权,该函数也可以识别出已经开启的特权。默认情况下大多数特权是未开启的。)
The Windows API defines a set of string constants, such as SE_ASSIGNPRIMARYTOKEN_NAME, to identify the various privileges. These constants are the same on all systems and are defined in Winnt.h. For a table of the privileges defined by Windows, see Privilege Constants. However, the functions that get and adjust the privileges in an access token use the LUID type to identify privileges. The LUID values for a privilege can differ from one computer to another, and from one boot to another on the same computer. To get the current LUID that corresponds to one of the string constants, use the LookupPrivilegeValue function. Use the LookupPrivilegeName function to convert a LUID to its corresponding string constant.
(Windows API定义了一些列字符串常量,比如SE_ASSIGNPRIMARYTOKEN_NAME,用来识别出多种特权。这些常量在所有系统中都是一样的,而且都是在wnnt.h中定义。但是,获取或者调整访问令牌中的特权的函数使用LUID类型来识别特权。一个特权的LUID值在不同计算机上可以是不同的值,而且同一台计算机的每次启动也会生成不同的LUID值。获取与其中一个字符串变量相对应的当前LUID值,可以使用LookupPrivilegeValue函数。使用LookupPrivilegeName函数,可以将LUID值转化成相对应的字符串常量。)
The system provides a set of display names that describe each of the privileges. These are useful when you need to display a description of a privilege to the user. Use the LookupPrivilegeDisplayName function to retrieve a description string that corresponds to the string constant for a privilege. For example, on systems that use U.S. English, the display name for the SE_SYSTEMTIME_NAME privilege is "Change the system time".
(系统提供了一些列描述每个特权的展示名。当需要向用户展示特权的具体描述时这将非常有用。使用LookupPrivilegeDisplayName函数获取一个特权的字符串常量相对应的描述字符串。离去,SE_SYSTEMTIME_NAME特权的具体描述字符串就是“更改系统时间”。)
You can use the PrivilegeCheck function to determine whether an access token holds a specified set of privileges. This is useful primarily to server applications that are impersonating a client.
(PrivilegeCheck函数可以确定访问令牌是否拥有特定的特权集合。这对于模拟客户端的服务服务器应用程序尤其重要。)
A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user and group accounts. Administrators can programmatically use the Local Security Authority (LSA) functions to work with privileges. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove privileges from an account. The LsaEnumerateAccountRights function enumerates the privileges held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified privilege.
(系统管理员可以使用User Manager等管理工具来增加或者移除用户账户或者组账户的特权。管理员可以使用LSA函数来管理特权。LsaAddAccountRights和LsaRemoveAccountRights可以增加或者移除一个账户的特权。LsaEnumerateAccountRights函数枚举特定账户的特权。LsaEnumerateAccountsWithUserRight函数枚举持有特定特权的账户。)