Re: Restricted User Group

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/06/05

  • Next message: Roger Abell [MVP]: "Re: local admin group change, how?"
    Date: Sun, 6 Nov 2005 00:33:27 -0600
    
    

    When you use runas the restricted identity is added to your security token.
    Restricted identity has limited permissions in access control lists and
    apparently it is there to insure that the user using runas has those needed
    permissions in case you do not as the account you are logged on with. System
    permissions do not apply to a user even if the user is using runas. From
    what I can tell if I use runas and specify an administrator account the
    operating system will let me run that particular application as an
    administrator but it does not change my security token to reflect membership
    in the administrators group in order to protect the operating system from
    using administrator powers beyond running that specific application.
    Personally I don't see or have not heard or read of any risk in leaving
    restricted in the ACLs configured by default and would leave it alone so as
    to not interfere with someone using runas. If you do not want to use runas
    for some reason the disable the secondary logon service. Certainly you
    should remove users/authenticates users/everyone from any ACL's where the
    result will be in users having excessive permissions in the spirit of
    principle of least privilege. Authenticated users has the advantage in that
    it's membership can not be managed and will never contain anonymous or
    guests. It is possible for the guest account to be added to the users group
    and that could be disastrous if the guest account was enabled. NSA security
    guides recommend using authenticated users when you want to grant access to
    the general population. --- Steve

    "Will" <westes-usc@noemail.nospam> wrote in message
    news:usNuwGp4FHA.700@TK2MSFTNGP15.phx.gbl...
    > Thanks for the definition of Restricted in the ACL lists. I'm finding
    > this
    > entity in many of the registry ACLs. If SYSTEM is already in the ACL,
    > why
    > would I also want to grant privileges to Restricted? If I am using Run
    > As
    > on a binary, won't the binary run in the security context of a specific
    > user
    > account, and wouldn't it be better to just have the ACLs refer to specific
    > user groups rather than some generic entity? I generally remove all
    > references to "Authenticated Users" in my ACLs since that and Everyone
    > grant
    > far too permissive access to resources. I find that running with Users
    > if
    > you want to have domain users access resources locally is usually
    > sufficient.
    >
    > In the case of Restricted, wouldn't it be enough to grant Administrators
    > and
    > SYSTEM access to all of the ACLs and just avoid Restricted?
    >
    > --
    > Will
    >
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:uKESv5o4FHA.2524@TK2MSFTNGP10.phx.gbl...
    >> Restricted An identity used by a process that is executed in a
    >> restricted security context. When you launch a program in Windows XP
    >> Professional with the graphical RunAs utility, selecting "Protect my
    >> computer and data from unauthorized program activity runs the program
    >> with
    > a
    >> restricted token that contains the S-5-12 SID.
    >
    >


  • Next message: Roger Abell [MVP]: "Re: local admin group change, how?"

    Relevant Pages

    • Re: about common group & user ID space (PR kern/14584)
      ... most security "extensions" I've seen contain relatively ... many applications exist that make strong ... permissions: uid 0 and the uid used to represent NOVAL in vop_setattr ... I should take a moment also to respond to your comments on ACLs. ...
      (FreeBSD-Security)
    • Re: [Python-Dev] Re: rexec.py unuseable
      ... > In designing a security policy for file systems, ... NT file system access permissions also ... they also have "change security descriptor" as a permission. ... > ACLs are a good match for these design specs. ...
      (comp.lang.python)
    • Re: Howto: Restrict W2k3 Fax service to a specific security group
      ... , click on properties, go to the Security Tab and set the ACLs there. ... > Permissions apply to anonymous users". ... that permission won't apply for anonymous users. ...
      (microsoft.public.win2000.fax)
    • RE: What server hardening are you doing these days?
      ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
      (Focus-Microsoft)
    • RE: Any way to remove ADMIN$ only?
      ... partition to allow you to set local permissions. ... Network Security Specialist ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
      (Focus-Microsoft)