What is act as part of the operating system
A process in Windows is a program which runs on the system, this can be anything from document editing software to games. The Windows security setting act as part of the operating system grants the capability to a process to assume the identity of any user and then gain access to the resources that the user is authorized to access.
This gives the process the ability to bypass normal access controls and security measures, and do almost anything on the system from accessing files to making major system changes.
Why let a process act as part of the operating system
To some programs such as antivirus software or backup tools, having high level access like the capability to act as part of the core operating system may be crucial to function. These processes need the ability to scan all files for threats or access system settings to create backups.
The risks of granting act as part of the operating system
Act as part of the operating system user right is extremely powerful and can be dangerous if misused. A malicious user or compromised service with this permission could take complete control of the system, access all data, and make significant changes.
These changes can include installing malware onto the system, exploiting this setting to gain complete control, stealing data, or damage the system. Not only can damage be done, but all evidence of activity can also be erased.
There is also the chance even a legitimate program with this permission could cause accidental damage if it malfunctions, has bugs, or accidentally deletes important system files while performing a clean up.
Recommended action for setting
This permission grants near-unlimited access to the system, potentially bypassing security measures. This powerful permission should be treated with caution. Ideally, this right should be assigned to as few accounts as possible, not even administrator accounts should be given access by default.
If a service genuinely needs this permission to function, it’s best to configure it to use the built-in local system account. The local system account is configured to act as part of the operating system by default so it is not necessary to create a separate account and assign the right to it. This approach minimizes the number of accounts with high level of access, reducing the potential security risks.
How to configure act as part of the operating system
To establish the recommended configuration via GP, set the following UI path to No One:
| Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system |
Default value
No one.
Constant
SeTcbPrivilege
Possible values
- User-defined list of accounts
- Not defined
Recommended setting
The recommended state for this setting is: No One.
Hardening best practices
For robust security it is best to treat the act as part of the operating system permission with extreme care. Grant it to the fewest accounts possible, ideally excluding even administrator accounts in typical scenarios.
Server hardening takes care of all system settings, tightening security settings, removing unnecessary features, and keeping software updated. This protects your data from breaches, prevents unauthorized changes, and keeps your systems running smoothly. In essence, server hardening is a proactive approach that saves you time, money, and frustration in the long run.
