Security Watch

Power Hungry

Be careful who you give Power User privelages to or you may face abuse from within.

One of the most basic security principals is that of "least privilege." This principal states that you don't give the new neighbors keys to your house—you make them ring the doorbell and be invited in. In IT, it means you don't give every user administrative privileges.

If you've done a good job of this, most users don't have administrative rights, even on their own desktop systems. You may have granted some users individual rights on some machines because they have some legitimate work-related task to do, and you may have included some users in the local Power Users group. A Power User can do more than a regular user, like modify computer-wide settings, install drivers, change file associations, change Start menu shortcuts, run and install programs and more. A Power User also has more access to sensitive system files and Registry keys. A Power User, though, isn't a full Administrator, and can't add users to the Administrators group, change other users' passwords or do some other things. Adding users to the Power Users group to operate independently on the road or run legacy applications seems like a good application of least privilege.

Unfortunately, because of the rights granted to Power Users, a sophisticated user with these privileges may be able to elevate them to the administrator level. This might be possible by installing some malicious application that would add his account to the Administrators group when run. While the Power User couldn't run the application—it would require him to be an administrator—he might be able to trick an administrator into running the application. For example, he might cause a Start menu shortcut for some administrative tool to call a program that first runs the malicious code and then runs the tool. All he has to do then is get an administrator to run that specific tool. If the administrator runs it from the Start menu, game over.

Microsoft Knowledge Base article 825069, "A member of the Power Users group may be able to gain administrator rights and permissions in Windows Server 2003, Windows 2000, or Windows XP," offers the following advice: "Do not use the Power Users group."

I disagree, since in many cases the alternative is to add the user to the Administrators group. What's gained by that? There are issues and what-ifs with any privileges you grant to users. For every malicious user who would mount an elevation of privilege attack, there are many more who wouldn't knowingly do so. The answer in a perfect network is to not need to give users any elevated privileges at all; but that's not going to happen until all user applications are written to not require elevated privileges to run them, and when there's no need for traveling users to manage their own computers. For now, you may have to continue to use the Power Users group; train users in how to avoid external attacks that might gain control of their accounts and use it to elevate privileges; provide protection from these types of attacks; and insist on ethical behavior.

Oh, and while you're at it, audit Power Users' use of their special access, so you know what they're attempting to do. Instilling good ethical practices does work, but you may find it very difficult to completely eliminate mistakes, external attacks, disgruntled employees and the rare sociopath from your organization.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

comments powered by Disqus

Reader Comments:

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.