- NIST 800-53
- Common Controls Hub
The Back up files and directories user right must only be assigned to the Administrators group.
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63853 | WN10-UR-000030 | SV-78343r1_rule | Medium |
| Description |
|---|
| Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data." |
| STIG | Date |
|---|---|
| 2018-04-06 |
| Check Text ( C-64603r1_chk ) |
|---|
| Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators |
| Fix Text (F-69781r1_fix) |
|---|
| Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to only include the following groups or accounts: Administrators |
WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Backup Files & Directories
Back up files and directories
Note: This is an admin-equivalent right.
AKA: SeBackupPrivilege, Back up files and directories
Default assignment: Administrators and Backup Operators This right allows you access any persistent object (file, folder, registry key, et al) on the computer using the Win32 backup APIs. This is equivalent, from a security perspective, to giving the user the Read permission group to all objects on the entire system. Typically only backup application/service accounts need this right. There are occasional non-backup operations that an administrator might perform that would require this right. If you are directly running NTBackup under your account you will need this right.
Arne Vidstrom shows how you can use this right to make copies of objects to which you have no permissions. Click here.
The opposite of this right is the Restore files and directories right.
By default this right is not audited even if you enable Audit privilege use . See Full Privilege Auditing .
Back to top
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | Backup Files & Directories |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • |
 Windows security encyclopedia#microsoft #windows #security Search formBackup files and directories. This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. Policy path:Comments: , default: , supported on: , registry settings: , reboot required: , related content. Set and Check User Rights Assignment via PowershellYou can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts.. Posted by : blakedrumm on Jan 5, 2022  Local ComputerRemote computer, output types. This post was last updated on August 29th, 2022 I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights. Set User RightsHow to get it.  All of the User Rights that can be set:
Note You may edit line 558 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE. Here are a few examples: Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2 Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2 Check User RightsIn order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.  Note You may edit line 494 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE. Get Local User Account Rights and output to text in console: Get Remote SQL Server User Account Rights: Get Local Machine and SQL Server User Account Rights: Output Local User Rights on Local Machine as CSV in ‘C:\Temp’: Output to Text in ‘C:\Temp’: PassThru object to allow manipulation / filtering:  I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs. Email : [email protected] Website : https://blakedrumm.com My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.
This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. User Rights Assignment
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local device by using the Local Group Policy Editor (gpedit.msc). For information about setting security policies, see Configure security policy settings . The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
Related topics
Additional resources |
IMAGES
VIDEO
COMMENTS
This article describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This tutorial will show you how to change User Rights Assignment security policy settings to control users and groups ability to perform tasks in Windows 10. You must be signed in as an administrator to change User Rights Assignment.
If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the Back up files and directories user right. Location GPO_name \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.
In Windows, you can back up the current permissions of a file, folder, or drive to a .txt file, and be able to restore the permissions later if needed. This tutorial will show you how to backup and restore permissions for files, folders, and drives in Windows 7, Windows 8, and Windows 10.
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators
AKA: SeBackupPrivilege, Back up files and directories Default assignment: Administrators and Backup Operators This right allows you access any persistent object (file, folder, registry key, et al) on the computer using the Win32 backup APIs.
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts. This post was last updated on August 29th, 2022. I stumbled across this gem (weloytty/Grant-LogonAsService.ps1) that allows you to grant Logon as a Service Right for a User.
User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.