Security Watch

Power Hungry

Be careful who you give Power User privelages to or you may face abuse from within.

• By Roberta Bragg
• 09/13/2004

If you've done a good job of this, most users don't have administrative rights, even on their own desktop systems. You may have granted some users individual rights on some machines because they have some legitimate work-related task to do, and you may have included some users in the local Power Users group. A Power User can do more than a regular user, like modify computer-wide settings, install drivers, change file associations, change Start menu shortcuts, run and install programs and more. A Power User also has more access to sensitive system files and Registry keys. A Power User, though, isn't a full Administrator, and can't add users to the Administrators group, change other users' passwords or do some other things. Adding users to the Power Users group to operate independently on the road or run legacy applications seems like a good application of least privilege.

Unfortunately, because of the rights granted to Power Users, a sophisticated user with these privileges may be able to elevate them to the administrator level. This might be possible by installing some malicious application that would add his account to the Administrators group when run. While the Power User couldn't run the application—it would require him to be an administrator—he might be able to trick an administrator into running the application. For example, he might cause a Start menu shortcut for some administrative tool to call a program that first runs the malicious code and then runs the tool. All he has to do then is get an administrator to run that specific tool. If the administrator runs it from the Start menu, game over.

Microsoft Knowledge Base article 825069, "A member of the Power Users group may be able to gain administrator rights and permissions in Windows Server 2003, Windows 2000, or Windows XP," offers the following advice: "Do not use the Power Users group."

I disagree, since in many cases the alternative is to add the user to the Administrators group. What's gained by that? There are issues and what-ifs with any privileges you grant to users. For every malicious user who would mount an elevation of privilege attack, there are many more who wouldn't knowingly do so. The answer in a perfect network is to not need to give users any elevated privileges at all; but that's not going to happen until all user applications are written to not require elevated privileges to run them, and when there's no need for traveling users to manage their own computers. For now, you may have to continue to use the Power Users group; train users in how to avoid external attacks that might gain control of their accounts and use it to elevate privileges; provide protection from these types of attacks; and insist on ethical behavior.

Oh, and while you're at it, audit Power Users' use of their special access, so you know what they're attempting to do. Instilling good ethical practices does work, but you may find it very difficult to completely eliminate mistakes, external attacks, disgruntled employees and the rare sociopath from your organization.