RE: WINNT security priviledge escalation attack

From: Jason Lopes (Jason@rga.com)
Date: 10/29/02


From: Jason Lopes <Jason@rga.com>
To: focus-ms@securityfocus.com
Date: Tue, 29 Oct 2002 11:58:30 -0500

I believe that if you format the drive during OS installation the default
is:

Quote --
WINNT is writeable by Power Users and
Administrators, while normal users have only read and execute access.
Similarly, on a Win2K server I just checked out, Server Operators and
Administrators have write access, but again normal users can only read and
execute.
End Quote --

but if you install the OS as a fat partition and convert it I believe
Everyone gets full control across the board.

Jason Lopes Systems Administrator (MCSE, MCP + I)
Phone 212-946-4192 Fax 212-946-4010 jason@rga.com
R/GA 350 West 39th Street New York, NY 10018 www.rga.com

-----Original Message-----
From: Paul Knibbs [mailto:pknibbs@3t.co.uk]
Sent: Tuesday, October 29, 2002 3:29 AM
To: focus-ms@securityfocus.com
Subject: WINNT security priviledge escalation attack

Eric Howard said:

>>Microsoft, in my opinion, has committed a grave mistake in
the NTFS permission scheme for the WINNT directory. ANY user may create
file in this directory, even AFTER the C2 security rollups are applied.<<

I'm not sure what OS he's talking about, but I can attest that these are NOT
the default permissions set on either Windows XP Professional or Windows
2000 Server. On my XP Pro machine WINNT is writeable by Power Users and
Administrators, while normal users have only read and execute access.
Similarly, on a Win2K server I just checked out, Server Operators and
Administrators have write access, but again normal users can only read and
execute.

Paul Knibbs
Systems Administrator
3T Productions Ltd
T: 0161 492 1400 F: 0161 492 1401
www.3t.co.uk

Standard Disclaimer
This message is confidential. You should not copy it or disclose its
contents to anyone. You may use and apply the information only for the
intended purpose. Internet communications are not secure and therefore 3T
does not accept legal responsibility for the content of this message. Any
views or opinions presented are only those of the author and not those of
3T. If the e-mail has come to you in error please delete it and any
attachments. Please note that 3T may intercept incoming and outgoing e-mail
communications.



Relevant Pages

  • Re: Changing process priorities of normal users
    ... Administrators the right to adjust normal users process priorities (by ... User U's process priorities unless User U was a member of Domain Admins. ...
    (microsoft.public.win2000.security)
  • Re: Preventing users from shutting down system?
    ... If your users are Administrators, shutting down the server is about ... you installed (following all the normal installation rules, ... normal users, then you should solve that problem: ...
    (microsoft.public.windows.terminal_services)
  • Re: removing shutdown command
    ... But chances are, if normal users are Administrators, they will be ... able to change the policy back again. ... There is *no* defence against Administrators. ... > Settings, Security Settings, Local Policies, and User Rights ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Problem with mscomm32.ocx on Windows 7
    ... works for users who are administrators. ... I checked and general users have read and execute access to the file ... The reason "normal users" can not access the component is because it ... Check the Registry entries for a "normal user" and compare with the ...
    (microsoft.public.vb.general.discussion)
  • SUS Silent Install for Administrators
    ... Is there any way of getting the patches installed via SUS ... Pete. ...
    (microsoft.public.security)