During an incident review on a Windows Server 2022 file server, you discover that a Tier-1 support technician-who is not a local administrator-was able to overwrite the C:\Windows\System32\drivers\etc\hosts file and plant a back-door service. The account is a member only of a custom domain group named File-Backup-Ops. A Group Policy object assigns this group the user rights "Back up files and directories" and "Restore files and directories" on every server. No other privileges are delegated. Which change will BEST eliminate this improper privilege escalation while still allowing the group to perform routine backups?
Remove the "Back up files and directories" (SeBackupPrivilege) user right from the File-Backup-Ops group.
Add an explicit NTFS deny-write permission to C:\Windows\System32 for the File-Backup-Ops group.
Add the File-Backup-Ops group to the local Backup Operators group instead of using Group Policy.
Remove the "Restore files and directories" (SeRestorePrivilege) user right from the File-Backup-Ops group.
The "Restore files and directories" user right (SeRestorePrivilege) lets an account bypass NTFS permissions and write to or replace any file-even those in protected system folders-making it a common privilege-escalation vector. Removing that right stops the group from writing to sensitive paths while the "Back up files and directories" right (SeBackupPrivilege) still permits read-only access needed for backup operations.
Removing only the backup right would block legitimate backups but leave the write-anywhere restore right in place. Adding an NTFS deny entry is ineffective because SeRestorePrivilege ignores discretionary ACLs. Moving the group into Backup Operators does not help, because that built-in group already possesses both SeBackupPrivilege and SeRestorePrivilege, so the escalation path would remain.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the SeRestorePrivilege user right in Windows Server?
Open an interactive chat with Bash
Why does SeRestorePrivilege bypass NTFS permissions?
Open an interactive chat with Bash
How does SeBackupPrivilege differ from SeRestorePrivilege?