Local Administrator

[kylei]

We have an application that is giving me tons of issues when run under
a user in the local Users Group. I have asked the vendor for the
files/folders/registry entries permissions but they have not given them
to me. I could turn on auditing and find all the
files/folders/registry entries to give the local Users Group access to
but that may take a long time and I don't have that kind of time at the
moment.

Right now I'm using Group Policy to lockdown the PC so that the only
thing a user can run is the specified application. No right clicking,
no tray icons, no Start Menu items except that application, and no
internet access because we block all access to the internet with
Websense.

With all this in mind, what is my security risk for the local computer
and for the network? Can you think of any way to cause damage?

 

[Steven L Umbach]

You might also want to look at the free tools called filemon and regmon from
SysInternals that can help you track down where access is denied to a file
or registry key. You could logon to the computer as a regular user and use
runas to bring up filemon or regmon just before you try to run the
application and then when it fails close the log for filemon/regmon, look
for access denied entries, make permissions adjustment and try again. Even
doing such not all applications can be made to run for a regular user by
modifying file folder and registry permissions.

The biggest risk with a user being local administrator is to the local
computer mostly and to the network if the computer becomes infected with
malware like a worm that wants to spread via your network. If a computer
becomes infected while the logged on user is a local administrator then the
malware will have administrator access to that computer and can write/modify
anywhere on it. Good antivirus protection and not being able to use the
internet will greatly reduce that risk.

If a user is a local administrator they have the capability to do anything
they want on the computer including undoing any current restrictions if they
have the knowledge how to do such and the desire. Most users do not even
understand the concept of an administrator account and probably will just
live with things as they are but you always will have some curious users.
The first think such a user could do would be to try to access the command
prompt where a local administrator could then own the computer. The command
prompt could be accessed in a number of ways including from within
applications. A local administrator could also unjoin a computer from the
domain, logon as a local account that is a local administrator to bypass
domain Group Policy user configuration settings, rename executables to be
what is on the white list to bypass restrictions, and run scripts.

I am not saying that will happen in your network but it should be considered
as a possibility if you allow a user to be local administrator. --- Steve

 

[Danny Sanders]

If you are using Win 2k take a look at this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269259


hth
DDS W 2k MVP MCSE

 

[kylei]

I am interested in how malware would get on a computer that has no
internet access and no USB or CD access?

I'm also interested in knowing how a user can access the command prompt
from within an application if the command prompt has been disabled?

 

[Steven L Umbach]

If the floppy drive is available that can still be a way but if access to
all external media [including floppy] is disabled and there is no internet
access then the chance for malware is greatly reduced. If the computer has
network connectivity to other computers then that is a possible avenue for
access though again if that is tightly controlled the risk can be minimized.
I don't know how your internet restrictions work but keep in mind that if it
is by IP address or lack of default gateway a local administrator could
possibly change the default gateway and IP address of their computer.

If the command prompt is disable that will make it more difficult. Some
applications allow access to the command prompt. Another thing to keep in
mind is that if the user can access command.com then they still can access
the command prompt. One way for instance could be to use Word and enter
command.com into a blank document, save the file and select .txt extension,
and then name the file prompt.bat. Then the user could try to use Explorer
to open that .bat file and they will have a command prompt. The user could
also simply enter command.com in the run box if that is available or open
Explorer and click command.com. The user could also try to use Word,
notepad, and word to create batch files or VB scripts to run on the
computer. Many programs allow the user to save files other than native
format such as to .txt files and the user can take advantage of such to
write scripts which if the user can execute will run in the context of their
user account. If I open Word and create a document that has " net localgroup
administrators username /add " and save it as a .txt file named
mybatchfile.bat, I can then try to run it to add a user account I created
to the local administrators group.

You can do a lot to lockdown any account in Windows 2000/XP Pro and the more
you do the harder it will be for a user to overcome the barriers but a user
that is local administrator with a high level of knowledge of the operating
system and some scripting skills more than likely would find a way to
eventually take control of the computer if they really wanted to. Not having
any access to external media [access to tools, canned scripts, .reg files]
and strict control of network access will make the task harder.

Having said that security is all about managing risk - not trying to
eliminate all risk. If allowing users to be local administrators makes
business sense and the risk is minimal then it may be perfectly acceptable
to your organization. Many times the main risk is increased support costs
for users that screw up their computers. --- Steve