[Afterdawn]

If you're a member of the "Power users" then you can execute any command in the context of an administrator (or become a member of the "Administrators" group yourself) very easily, thus making it an unusuable group. Here's how:

As a "power user" you have access to add values to the following key (check for yourself if you don't believe me!). KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
All the values under this key will be executed at start-up of Windows before the Welcome/Login-screen. So you could create a value net localgroup administrators youraccount /add to add you account to the administrators group. Or you could replace/delete system files.

So I was wondering whether I should move my family accounts to the "Users" group instead, but they cannot install software this way. That's an anoying limitation. It's not that they are trying to hack the machine, but I'm worried for malware/virusses.

Are there anymore backdoors to the "power users" account?

Please NOW in Microsoft Windows XP section, use [TAGS] in your topic's title.
See rules.
--Sonic

This post has been edited by Sonic: 08 February 2006 - 01:00 PM

[prp8683]

Afterdawn, on Jan 21 2006, 11:44 AM, said:

As a "power user" you have access to add values to the following key (check for yourself if you don't believe me!). KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

You can change the permissions on this key to prevent them from doing so. (do the same for RunOnce, RunOnceEx and half a dozen other keys that do essentially the same thing.)

Afterdawn, on Jan 21 2006, 11:44 AM, said:

All the values under this key will be executed at start-up of Windows before the Welcome/Login-screen.

Actually, they're executed during the logon process, but being in HKLM, they're executed for ALL users, so if a power user alters the key and an admin then logs on, whatever the power user added will run in the administrator's context.

Afterdawn, on Jan 21 2006, 11:44 AM, said:

So I was wondering whether I should move my family accounts to the "Users" group instead, but they cannot install software this way. That's an anoying limitation. It's not that they are trying to hack the machine, but I'm worried for malware/virusses.

Anyone who has sufficient rights to install most software can install binaries that will subvert the system the next time an administrator logs on, since most software installers demand write access to the system folders and sensitive registry keys.

You're probably better off installing software for them if you truly want to keep your system secure; that way you can verify that the software they want to install is safe. (Yes, it's a pain, but allowing inexperienced or untrusted users to install binaries to global folders is inherently insecure.)

Afterdawn, on Jan 21 2006, 11:44 AM, said:

Are there anymore backdoors to the "power users" account?

Quite a few. Depending on your setup, power users may be able to schedule tasks with the AT command, which subsequently run as SYSTEM. Among many others. (Even Users isn't totally secure in a default XP install, unless you tweak registry and filesystem permissions.)

--
Phil