Special Identities

In addition to built-in groups, Windows has several special identities (sometimes called
well-known groups), which are containers for accounts that transitively pass through
certain states (such as being logged on via the network) or from certain places (such as
interactively at the keyboard). These identities can be used to fine tune access control to
resources. For example, access to certain processes may be reserved for INTERACTIVE
users only (and thus blocked for all users authenticated via the network). These well-
known groups belong to the NT AUTHORITY domain, so to refer to their fully
qualified name, you would say NT AUTHORITY\Everyone, for example. Table 2-4 lists
the Windows special identities.
Some key points worth noting about these special identities:
The Anonymous Logon group can be leveraged to gain a foothold on a Windows
system without authenticating. Also, the INTERACTIVE identity is required in many
instances to execute privilege escalation attacks against Windows (see Chapter 7).