Act as Part of the Operating System Windows Security Setting

Act as Part of the Operating System Windows Security Setting

3 Minutes Read Updated on May 21, 2025

 What is act as part of the operating system 

A process in Windows is a program which runs on the system, this can be anything from document editing software to games. The Windows security setting act as part of the operating system grants the capability to a process to assume the identity of any user and then gain access to the resources that the user is authorized to access.

This gives the process the ability to bypass normal access controls and security measures, and do almost anything on the system from accessing files to making major system changes.

Why let a process act as part of the operating system

To some programs such as antivirus software or backup tools, having high level access like the capability to act as part of the core operating system may be crucial to function. These processes need the ability to scan all files for threats or access system settings to create backups.

The risks of granting act as part of the operating system

Act as part of the operating system user right is extremely powerful and can be dangerous if misused. A malicious user or compromised service with this permission could take complete control of the system, access all data, and make significant changes.

These changes can include installing malware onto the system, exploiting this setting to gain complete control, stealing data, or damage the system. Not only can damage be done, but all evidence of activity can also be erased.

There is also the chance even a legitimate program with this permission could cause accidental damage if it malfunctions, has bugs, or accidentally deletes important system files while performing a clean up.

 

Recommended action for setting

This permission grants near-unlimited access to the system, potentially bypassing security measures. This powerful permission should be treated with caution. Ideally, this right should be assigned to as few accounts as possible, not even administrator accounts should be given access by default.

If a service genuinely needs this permission to function, it’s best to configure it to use the built-in local system account. The local system account is configured to act as part of the operating system by default so it is not necessary to create a separate account and assign the right to it. This approach minimizes the number of accounts with high level of access, reducing the potential security risks.

How to configure act as part of the operating system

To establish the recommended configuration via GP, set the following UI path to No One:

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system

Default value

No one.

Constant

SeTcbPrivilege

Possible values

  • User-defined list of accounts
  • Not defined

Recommended setting

The recommended state for this setting is: No One.

datasheet

Hardening best practices 

For robust security it is best to treat the act as part of the operating system permission with extreme care. Grant it to the fewest accounts possible, ideally excluding even administrator accounts in typical scenarios.

Server hardening takes care of all system settings, tightening security settings, removing unnecessary features, and keeping software updated. This protects your data from breaches, prevents unauthorized changes, and keeps your systems running smoothly. In essence, server hardening is a proactive approach that saves you time, money, and frustration in the long run.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

A Comprehensive Guide to X-Powered-By Header

A Comprehensive Guide to X-Powered-By Header

September 5, 2024

What is a X-Powered-By header? An X-Powered-By header is a type of HTTP response in…

Ryuk attack- protect your organization

Ryuk attack- protect your organization

June 5, 2019

Ryuk ransomware was first detected in August 2018. One of its famous attacks happened on…

Which TLS version is obsolete?

Which TLS version is obsolete?

July 25, 2022

Transport Layer Security is a security protocol used for facilitating seamless and safe communication between…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article