Jump to content

Recommended Posts

  • Root Admin

You would not want to. On XP Pro if you are in the Administrators group then you already have FULL control of everything on the system. It's not like Vista or Windows 7 where even an Admin account still cannot do everything and has to use the built-in Administrator account for real security changes.

Link to post
Share on other sites

  • Root Admin

Just what Microsoft chose to do to enhance security starting in Vista with the User Account Control. It puts another layer of "Mother May I" prompts and controls so that you have to agree that you want to run something that might potentially be damaging to the system or might make system wide changes for all users of the system.

Link to post
Share on other sites

Just what Microsoft chose to do to enhance security starting in Vista with the User Account Control. It puts another layer of "Mother May I" prompts and controls so that you have to agree that you want to run something that might potentially be damaging to the system or might make system wide changes for all users of the system.

The first user setup on Vista and Windows 7 is by default given Administrative privileges. Accounts created after that are "Standard User" accounts by default.

Administrative privileges means that Windows will pop up a dialog box and grey out the desktop (there's evidently a security reason for greying it out, but I'm not sure exactly how it works). The dialog will ask if you want to permit some action, as mentioned above. "Mother May I."

The problem is that this procedure for approving escalation of privileges only works for well-behaved software. Malware can bypass that and get the escalation on its own without your approval or knowledge.

The cure is to make sure that the account you normally use is a standard user. The system will then ask you for the password of the admin account before escalating privileges. There are also some few tasks that affect the entire system that you simply can't do as a standard user. For those you will have to Switch User (login) to the admin account, do what you need to do, and log out.

If you're setting up a new system and you're going to, for example, have your normal user account be "bob," when the installer asks you to setup a user account, choose something like "bob-admin." It can be whatever you want, although I don't think it can be "Administrator" because that account is evidently disabled by default in Win 7 and maybe Vista too.

Once the install is done and has applied all the updates, create another standard user account, and call it "bob" this time. This is the account you will use on a day-to-day basis for everything but administering the system.

I went with "stuart" and "stuart-admin" and for the stuart-admin account I changed the desktop wallpaper and window decorations to be obnoxious, bright colors. I also disabled some of the eye candy. This way I will hopefully never forget when I am logged in as the admin user, and remember to switch to my regular account when I'm done with my administrative tasks.

If you have already installed Vista or Win 7 and the account you're using has admin privileges, create _another_ user account and make it an admin user. Set a password and then logout and login as your new admin user to make sure you can access it. When you're satisfied you can, go into user management and change the type of your original account from admin to standard user. Never change all your users to standard user accounts! Never! You'll be locked out of all admin functions, including changing user type back to admin. At that point it's pretty much time for a re-install of Windows. (There might be a way of having into it, but I haven't looked to find out.) Always keep one admin user with administrative privileges.

There was a recent report about using just a standard user account. I had tried running as a standard user on XP a while back, but it never really worked well. When it came time to move to Win 7, I checked into this topic beforehand and found out what was needed to do it. Then a few days ago I saw news items about a report that a company named BeyondTrust had released. It's worth reading.

You'll be able to find the company's web site easily enough, but here are some of the news items that Google finds on the report:

http://news.google.com/news/more?q=beyondt...d=0CDIQqgIoADAA

If there's any interest, I could create a new thread about this, since it's somewhat off-topic in this one.

Link to post
Share on other sites

How do you create a Windows user account with system-level priveleges (above administrator-level), and why would you want to? I'm running Windows XP Pro.

You can temporarily act as the entity 'system' :

As any admin account, open a command prompt and schedule another command prompt to open as 'system' -- here's how... (note: This must be done at the PC, remote desktop will not work)

First make note of the current system time, for this example we will pretend the current time is 14:00. At the prompt type 'at 14:02 /interactive "cmd.exe" ' (hit enter). You should get a response that a new job was added to the task scheduler.

While you are waiting for the new command prompt to open, start task manager and end the 'explorer.exe' process.

When the new command prompt opens, it is running as 'system'. Type 'explorer' (hit enter) and your workspace will build with system privileges. Now go and do what you need to do as system.

My reason for doing so is when I need to recover a customers data to external harddrive and don't want to mess around with file permissions.

'System' also allows you to delete files that 'administrator' normally cannot, such as the contents of the 'system restore' folder.

Link to post
Share on other sites

You can temporarily act as the entity 'system' :

As any admin account, open a command prompt and schedule another command prompt to open as 'system' -- here's how... (note: This must be done at the PC, remote desktop will not work)

First make note of the current system time, for this example we will pretend the current time is 14:00. At the prompt type 'at 14:02 /interactive "cmd.exe" ' (hit enter). You should get a response that a new job was added to the task scheduler.

While you are waiting for the new command prompt to open, start task manager and end the 'explorer.exe' process.

When the new command prompt opens, it is running as 'system'. Type 'explorer' (hit enter) and your workspace will build with system privileges. Now go and do what you need to do as system.

Now isn't _that_ a gaping security hole? So "at" runs as the system user and you can use at to open a shell for you. Any malware that can get administrative privileges can then get system privileges for anything it wants to run, and even the admin user won't be able to control it.

Link to post
Share on other sites

Nope, it's not a gaping security hole because to add a scheduled task or open an administrative command prompt you have to get through UAC so the separation of user/vs system privelages is still there, the same goes for installing a service (which is another way for a program to run with admin or system privileges), UAC will still be there guarding the gate :).

Link to post
Share on other sites

First make note of the current system time, for this example we will pretend the current time is 14:00. At the prompt type 'at 14:02 /interactive "cmd.exe" ' (hit enter). You should get a response that a new job was added to the task scheduler.

I like it. :)

Got anything for Vista/7 ?

Edit.

Found it:

Run Vista as System

Link to post
Share on other sites

  • 2 weeks later...
Nope, it's not a gaping security hole because to add a scheduled task or open an administrative command prompt you have to get through UAC so the separation of user/vs system privelages is still there, the same goes for installing a service (which is another way for a program to run with admin or system privileges), UAC will still be there guarding the gate :D.

I have seen info suggesting that it isn't that hard to bypass UAC to escalate privileges, particularly when the user account has admin rights rather than being a standard user account.

Here's an example:

http://www.sophos.com/blogs/chetw/g/2009/1...e-8-10-viruses/

The whitepaper mentioned in that blog entry says that one way is to inject code into a trusted application.

Or there are a number of discussions on various web forums about how to do it. I'm not going to post the URLs, but the info is out there.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.