Re: Restricted User Group

From: Steven L Umbach (
Date: 11/06/05

  • Next message: Roger Abell [MVP]: "Re: local admin group change, how?"
    Date: Sun, 6 Nov 2005 00:33:27 -0600

    When you use runas the restricted identity is added to your security token.
    Restricted identity has limited permissions in access control lists and
    apparently it is there to insure that the user using runas has those needed
    permissions in case you do not as the account you are logged on with. System
    permissions do not apply to a user even if the user is using runas. From
    what I can tell if I use runas and specify an administrator account the
    operating system will let me run that particular application as an
    administrator but it does not change my security token to reflect membership
    in the administrators group in order to protect the operating system from
    using administrator powers beyond running that specific application.
    Personally I don't see or have not heard or read of any risk in leaving
    restricted in the ACLs configured by default and would leave it alone so as
    to not interfere with someone using runas. If you do not want to use runas
    for some reason the disable the secondary logon service. Certainly you
    should remove users/authenticates users/everyone from any ACL's where the
    result will be in users having excessive permissions in the spirit of
    principle of least privilege. Authenticated users has the advantage in that
    it's membership can not be managed and will never contain anonymous or
    guests. It is possible for the guest account to be added to the users group
    and that could be disastrous if the guest account was enabled. NSA security
    guides recommend using authenticated users when you want to grant access to
    the general population. --- Steve

    "Will" <westes-usc@noemail.nospam> wrote in message
    > Thanks for the definition of Restricted in the ACL lists. I'm finding
    > this
    > entity in many of the registry ACLs. If SYSTEM is already in the ACL,
    > why
    > would I also want to grant privileges to Restricted? If I am using Run
    > As
    > on a binary, won't the binary run in the security context of a specific
    > user
    > account, and wouldn't it be better to just have the ACLs refer to specific
    > user groups rather than some generic entity? I generally remove all
    > references to "Authenticated Users" in my ACLs since that and Everyone
    > grant
    > far too permissive access to resources. I find that running with Users
    > if
    > you want to have domain users access resources locally is usually
    > sufficient.
    > In the case of Restricted, wouldn't it be enough to grant Administrators
    > and
    > SYSTEM access to all of the ACLs and just avoid Restricted?
    > --
    > Will
    > "Steven L Umbach" <> wrote in message
    > news:uKESv5o4FHA.2524@TK2MSFTNGP10.phx.gbl...
    >> Restricted An identity used by a process that is executed in a
    >> restricted security context. When you launch a program in Windows XP
    >> Professional with the graphical RunAs utility, selecting "Protect my
    >> computer and data from unauthorized program activity runs the program
    >> with
    > a
    >> restricted token that contains the S-5-12 SID.

  • Next message: Roger Abell [MVP]: "Re: local admin group change, how?"