Check or Attack Name: Restore Privilege

A user has been detected with Restore Files and Directories privileges. This right is normally only granted to Administrators and Backup operators, and can be used to replace any file or registry key regardless of permissions. If the user also has Backup Files and Directories privileges, the ownership of files and other objects can be changed.

Verify user rights in User Manager.

To audit and revoke this privilege, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
3. From the Right list, select Restore files and directories.
4. Verify that this right is set in accordance with your security policy.
5. To remove a user, select the user and click Remove.

Microsoft Knowledge Base Article Q104204, Troubleshooting Directory Replicator Problems, http://support.microsoft.com/support/kb/articles/q104/2/04.asp

Microsoft Knowledge Base Article Q183054, Taking Ownership Remotely May Set Owner Incorrectly, http://support.microsoft.com/support/kb/articles/q183/0/54.asp

Microsoft Knowledge Base Article Q186374, Enable Auditing of Microsoft Windows NT Server Password Registry, http://support.microsoft.com/support/kb/articles/q186/3/74.asp