Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sun, 25 Aug 2013 02:07:18 +0200

Jeffrey Walton wrote:

Hi Stefan,

... administrative rights for every user account

This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.

Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin (perhaps XP/x86, too). XP does not recognize the
first account as admin, so the second account cannot be limited (at
least on my test box).

1. A "normal" (read: attended) setup of XP forces you to create at
   least one user account (besides the always created "Administrator")
   during setup which gets administrative privileges.

   You can demote this user account on the command line with
   "NET.EXE LOCALGROUP Administrators %USERNAME% /DELETE" as well as
   interactive with "MMC.EXE LUSRMGR.MSC" and
   "RUNDLL32.EXE NETPLWIZ.DLL,UsersRunDll" alias
   "CONTROL.EXE Userpasswords2".

   Only the dumbed down "User Accounts" control panel applet
   (run via "CONTROL.EXE NUSRMGR.CPL" alias
   "MSHTA.EXE res://NUSRMGR.CPL/nusrmgr.hta") insists on having a
   second user account (besides the builtin "Administrator") with
   administrative rights and does not allow to demote the second
   (superfluous) administrative account.

JFTR: neither the dumbed down "User Accounts" control panel applet
      nor "CONTROL.EXE Userpasswords2" show disabled accounts.

2. The "out-of-box experience" allows you to create up to 5 user
   accounts during setup, which all get administrative privileges.

3. An unattended setup of XP does NOT force you to create a (second)
   user account (besides the always created "Administrator") at all,
   and allows you to disable the "out-of-box experience" too.

4. After setup the dumbed down "User Accounts" control panel applet
   defaults to create administrative accounts (and forces you to
   create an administrative account if there is only one, for
   example after unattended setup), while "MMC.EXE LUSRMGR.MSC" creates
   "users", and "CONTROL.EXE Userpasswords2" creates user accounts as
   "power users" (it shows a dialog with "users", "power users" and
   "administrators" where "power users" is selected).

The result: Jane Doe has administrative rights, via the user account
created during attended setup or afterwards with "Users & Passwords"
and its default setting.

Q.E.D.

Vista and above make the first user admin, but others users default to standard.

It's basically like XP: the (attended) setup forces you to create at
least one user account which gets administrative privileges.

The result: as long as John Doe uses his Windows PC with just the
user account created during setup he is administrator.

regards
Stefan

[ fullquote removed ]


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]