mailing list archives
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sun, 25 Aug 2013 02:07:18 +0200
Jeffrey Walton wrote:
... administrative rights for every user account
This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.
Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin (perhaps XP/x86, too). XP does not recognize the
first account as admin, so the second account cannot be limited (at
least on my test box).
1. A "normal" (read: attended) setup of XP forces you to create at
least one user account (besides the always created "Administrator")
during setup which gets administrative privileges.
You can demote this user account on the command line with
"NET.EXE LOCALGROUP Administrators %USERNAME% /DELETE" as well as
interactive with "MMC.EXE LUSRMGR.MSC" and
"RUNDLL32.EXE NETPLWIZ.DLL,UsersRunDll" alias
Only the dumbed down "User Accounts" control panel applet
(run via "CONTROL.EXE NUSRMGR.CPL" alias
"MSHTA.EXE res://NUSRMGR.CPL/nusrmgr.hta") insists on having a
second user account (besides the builtin "Administrator") with
administrative rights and does not allow to demote the second
(superfluous) administrative account.
JFTR: neither the dumbed down "User Accounts" control panel applet
nor "CONTROL.EXE Userpasswords2" show disabled accounts.
2. The "out-of-box experience" allows you to create up to 5 user
accounts during setup, which all get administrative privileges.
3. An unattended setup of XP does NOT force you to create a (second)
user account (besides the always created "Administrator") at all,
and allows you to disable the "out-of-box experience" too.
4. After setup the dumbed down "User Accounts" control panel applet
defaults to create administrative accounts (and forces you to
create an administrative account if there is only one, for
example after unattended setup), while "MMC.EXE LUSRMGR.MSC" creates
"users", and "CONTROL.EXE Userpasswords2" creates user accounts as
"power users" (it shows a dialog with "users", "power users" and
"administrators" where "power users" is selected).
The result: Jane Doe has administrative rights, via the user account
created during attended setup or afterwards with "Users & Passwords"
and its default setting.
Vista and above make the first user admin, but others users default to standard.
It's basically like XP: the (attended) setup forces you to create at
least one user account which gets administrative privileges.
The result: as long as John Doe uses his Windows PC with just the
user account created during setup he is administrator.
[ fullquote removed ]