Jump to content

[Question] "Power users" can have same rights "Administ


Afterdawn

Recommended Posts

If you're a member of the "Power users" then you can execute any command in the context of an administrator (or become a member of the "Administrators" group yourself) very easily, thus making it an unusuable group. Here's how:

As a "power user" you have access to add values to the following key (check for yourself if you don't believe me!). KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

All the values under this key will be executed at start-up of Windows before the Welcome/Login-screen. So you could create a value net localgroup administrators youraccount /add to add you account to the administrators group. Or you could replace/delete system files.

So I was wondering whether I should move my family accounts to the "Users" group instead, but they cannot install software this way. That's an anoying limitation. It's not that they are trying to hack the machine, but I'm worried for malware/virusses.

Are there anymore backdoors to the "power users" account?

Please NOW in Microsoft Windows XP section, use [TAGS] in your topic's title.

See rules.

--Sonic

Edited by Sonic
Link to comment
Share on other sites

  • 3 weeks later...

As a "power user" you have access to add values to the following key (check for yourself if you don't believe me!). KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

You can change the permissions on this key to prevent them from doing so. (do the same for RunOnce, RunOnceEx and half a dozen other keys that do essentially the same thing.)

All the values under this key will be executed at start-up of Windows before the Welcome/Login-screen.

Actually, they're executed during the logon process, but being in HKLM, they're executed for ALL users, so if a power user alters the key and an admin then logs on, whatever the power user added will run in the administrator's context.

So I was wondering whether I should move my family accounts to the "Users" group instead, but they cannot install software this way. That's an anoying limitation. It's not that they are trying to hack the machine, but I'm worried for malware/virusses.

Anyone who has sufficient rights to install most software can install binaries that will subvert the system the next time an administrator logs on, since most software installers demand write access to the system folders and sensitive registry keys.

You're probably better off installing software for them if you truly want to keep your system secure; that way you can verify that the software they want to install is safe. (Yes, it's a pain, but allowing inexperienced or untrusted users to install binaries to global folders is inherently insecure.)

Are there anymore backdoors to the "power users" account?

Quite a few. Depending on your setup, power users may be able to schedule tasks with the AT command, which subsequently run as SYSTEM. Among many others. (Even Users isn't totally secure in a default XP install, unless you tweak registry and filesystem permissions.)

--

Phil

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...