how-to block ads
In NT/2000/XP, a 'privilege' or 'right' is something you are allowed to do by virtue of who you are. Privileges have names like 'Load and Unload Device Drivers'. Privileges are assigned to particular user ids or to user groups. Assigning privileges to role-based groups is often more convenient, so (for example) the Load Drivers privilege is assigned to the Administrators group, which means that any member of Administrators can load drivers.
Privileges are assigned by the User Rights Assignment thingy in the Local Security Settings console, secpol.msc.
Privileges are independent of any particular object. You can 'Load (any) Drivers', not 'Load (specific) Driver FOO.SYS'.
In NT/2000/XP, 'permissions' are settings applied to system objects (such as files, directories, registry keys) that say who is allowed to do what to this object. Permissions are specified in the access control list (part of the security descriptor) for each such object.
Thus the access control list for some file might say:
Administrators : full control
Power Users : read
Dave : read + write
The ability to edit an access control list is of course a permission that is granted (or not) by that access control list. Given that access, the list can be edited to add or remove access permissions.
Entries in the access control list refer to either a user id or a group. It is often convenient to use role-based groups such as Administrators rather than indidivual user ids; this avoids the need to update every file in the system when (for example) you appoint a new member of Administrators.
Note that granting some user Joe 'full control' access to a file FOO.SYS does not allow Joe to load FOO.SYS as a driver. That requires 'load driver' privilege. The thing that is being protected is the running operating system and not the file FOO.SYS (FOO.SYS is the weapon that we're protecting the OS against).
More information --
Rights and Permissions
Working with Access Control Lists