Re: Security Templates

From: Asheesh Laroia (pan-news@asheeshenterprises.com)
Date: 05/14/02 

From: Asheesh Laroia <pan-news@asheeshenterprises.com>
Date: Tue, 14 May 2002 19:12:27 GMT

Sorry, maybe I was unclear.

You're trying to deny them the ability to install programs. I assert that
this impossible:

1. Windows cannot tell the difference between "setup.exe" and
"notepad.exe", intrinsically. If "Program Files" is set to read-only,
they can install into their own directory under Profiles.

2. Windows cannot stop them from running arbitrary programs. The most it
can do is filter out program names it doesn't trust. This means that it
allows, for example, only "WORDPAD.EXE" and "NOTEPAD.EXE" and
"EXPLORER.EXE". So, if they want to run their setup program, they can
still just rename it "NOTEPAD.EXE" and run it.

3. Even if you do add these restrictions, they can get full local SYSTEM
privileges. There's a program called DebPloit that gives any user who can
log on complete local SYSTEM access by hijacking the security context of a
the System process. They can then run setup.exe in the local SYSTEM
security context.

Welcome to Windows.

-- Asheesh.

On Mon, 13 May 2002 09:16:54 -0400, kbfromvt wrote:

> I'm not sure if I understand this post....
>
>>-----Original Message-----
>>Of course they can install anything. If they can run DebPloit
>>(http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip), they can get local
>>SYSTEM access through a simple, 40-kilobyte program.
>>
>>MS has known about this for months, and hasn't fixed it. Maybe they
>>consider it a bug rather than a feature. For more info, just check out
>>my response to "Temporary User Rights" in this newsgroup.
>>
>>-- Asheesh.
>>
>>On Fri, 10 May 2002 11:30:36 -0400, Kyle B. wrote:
>>
>>> Hello. I am trying to change the Power Users group so that they can
>>> NOT install ANYTHING. I need to have my users as Power Users so that
>>> they can run Legacy Applications but I don't want them to have the
>>> ability to install apps. I have been poking around the Console Root
>>> and checking out the security templates, especially the "setup
>>> security" templates. However I cant seem to find any policy regarding
>>> program installs.
>>>
>>> Other than taking away the ability for Power Users to install I want
>>> everything else to remain unchanged.
>>>
>>> Thanks in advance,
>>> -Kyle B.
>>.
>>

Relevant Pages

  • Re: P4C800-DELUXE XP Install Problems --- Hanging
    ... Windows Install Guide by Mr Steveo from ABX Zone Website. ... Additionally, if you have a Springdale or Canterwood chipset motherboard, ... Install chipset INFs before any video or sound drivers. ...
    (alt.comp.periphs.mainboard.asus)
  • Re: Checking for the latest updates....
    ... It's a good idea to install them now and then check again, ... Microsoft Windows XP ... Windows XP Service Pack 1 ... Security Update for Windows XP ...
    (microsoft.public.windowsupdate)
  • RE: updates after format
    ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
    (microsoft.public.windows.mediacenter)
  • Re: Files Gone???
    ... Cannot Open E-Mail Attachments in Outlook Express After You Install SP1 ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Universal sound card?
    ... Decided to install within windows on a laptop. ... linux is not working, they just want it to work. ... Copied the cd to the hard drive and tried to install from there. ... computers that only had floppy drives, have you running all processes with ...
    (comp.os.linux.hardware)