Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Windows user privileges
From: James Tucker <jftucker () gmail com>
Date: Sun, 21 Nov 2004 14:51:22 +0000

1. XP would be more suitable to run as a user if the runas service and
windows installers were developed to add more complete and easy to use
privilege elevation techniques outside of active directory and the
default group policy that gets applied.
2. Due to the above, the power users group is more appropriate (for
home / business laptop travelers(local machine only)).
3. Inside of a domain, or using the local users and groups snap in,
the default user group for account creation is "users".
4. The windows install creates the first user account as an
administrator so that they may install programs and hardware without
allot of hassle. This is in fact good for business over the
alternative (which is to hassle most end users beyond their point of
no return), no matter what the security implications, remember end
users don't care (even if they should).
5. Considering that XP is run with admin privileges all over the
world, it does quite well.

Out of interest, I suspect that many of the people involved in this
conversation, unless operating within a domain, are running as local
administrators anyway. You don't really have any special reason to be
doing so that makes you better than the end users you talk about; you
do it because it is more convenient (and your an admin) than keeping
runas sessions up of mmc, cmd, and control. (the equivalent to what
would be more common on *nix systems with su). Thus is the more
important point in the conversation, what is really required is the
ability to use all the functionality without adding too many
authentication processes. Most *nix configuration apps now ask for
elevated credentials, which, in windows, only occurs inside of a AD
Domain when using an Install Shield program along with a few other
limited areas which successfully prompt the user for admin rights, but
certainly not all things that should.

There may be a group policy object which can make the install
authentication rear its head at any install outside of a domain, but I
have had no reason to look so far. Hardware operations authentication
would also be necessary for an appropriate solution.

For the end user, such a setup is still a pain even if it does prompt
correctly. File and folder permissions are bewildering to most users,
that is problem #1 when users install applications without setting the
folder permissions correctly. The next problem is the running of
applications inside of a runas service. A small nause of the process
is that windowed applications do not get polled for refresh, so for
example using an explorer instance in a runas will not update the file
listing until you press "F5" I have witnessed bad things come of this
property already. As for fast user switching, that is not really
appropriate either, as for a start it is a high system load process,
and windows' caching routines are quite abusive when you start
switching users alot (mass unnecessary paging effects on low memory

I see the problem as not so much a "fault" but more of an area which
has not had enough development. Certainly end users should be more
aware, but they never will be so some other solution should be saught.
Nay, we are the people who are paid to produce such a solution. In
this case, you should blame the user, you should fix their issue and
produce a bill.

a little more than my 2c.

On Sat, 20 Nov 2004 19:28:13 -0600, Paul Schmehl <pauls () utdallas edu> wrote:
--On Saturday, November 20, 2004 8:19 AM -0500 Mike Hoye

<mhoye () neon polkaroo net> wrote:

On every XP install that I've seen from every major OEM (Dell, Compaq,
Gateway, etc) fast user switching is on by default and every user is
an administrator. Not "on most"; on every single one.

Furthermore, these machines don't have actual XP OS install CDs, they
usually come with "restore" CDs that just return the PC to this same
initial state if they're used, which they almost never are.

I have never seen a home user, that is to say change that setting or
create a user who is actually just a "User". Not once, ever.

And this is a flaw of the *OS*?  Or of the *OEM*?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]