My first step was to see what files and directories to which the Power Users group has write access, but that limited users do not. Thus, if a Power Users member can modify a file executed by one of these accounts, configure one of their executables to load an arbitrary DLL, or add an executable auto-start to these accounts, they can obtain full administrative privileges. The default accounts that have more privilege than Power Users include Administrators and the Local System account, in which several Windows service processes run. In the absence of a security flaw such as a buffer overflow privilege escalation is possible only if an account can configure arbitrary code to execute in the context of a more-privileged account.
I therefore decided to investigate.īefore I could start the investigation, I had to define the problem. Many articles, including this Microsoft Knowledge Baseīy Microsoft security specialist Jesper Johansen, point out that a user that belongs to the Power Users group can easily elevate themselves to fully-privileged administrators, but I was unable to find a detailed description of the elevation mechanisms they refer to. What many administrators fail to realize, however, is that this power comes at the price of true limited-user security. Is able to install software, manage power and time-zone settings, and install ActiveX controls, actions that limited Users are denied. Placing Windows user accounts in the Power Users security group is a common approach IT organizations take to get users into a least-privilege environment while avoiding the many pains of truly running as a limited user.
0 kommentar(er)
