Be careful who you give Power User privelages to or you may face abuse from within.
- By Roberta Bragg
One of the most basic security principals is that of "least privilege."
This principal states that you don't give the new neighbors keys to your house—you
make them ring the doorbell and be invited in. In IT, it means you don't give
every user administrative privileges.
If you've done a good job of this, most users don't have administrative rights,
even on their own desktop systems. You may have granted some users individual
rights on some machines because they have some legitimate work-related task
to do, and you may have included some users in the local Power Users group.
A Power User can do more than a regular user, like modify computer-wide settings,
install drivers, change file associations, change Start menu shortcuts, run
and install programs and more. A Power User also has more access to sensitive
system files and Registry keys. A Power User, though, isn't a full Administrator,
and can't add users to the Administrators group, change other users' passwords
or do some other things. Adding users to the Power Users group to operate independently
on the road or run legacy applications seems like a good application of least
Unfortunately, because of the rights granted to Power Users, a sophisticated
user with these privileges may be able to elevate them to the administrator
level. This might be possible by installing some malicious application that
would add his account to the Administrators group when run. While the Power
User couldn't run the application—it would require him to be an administrator—he
might be able to trick an administrator into running the application. For example,
he might cause a Start menu shortcut for some administrative tool to call a
program that first runs the malicious code and then runs the tool. All he has
to do then is get an administrator to run that specific tool. If the administrator
runs it from the Start menu, game over.
Microsoft Knowledge Base article 825069, "A
member of the Power Users group may be able to gain administrator rights and
permissions in Windows Server 2003, Windows 2000, or Windows XP," offers
the following advice: "Do not use the Power Users group."
I disagree, since in many cases the alternative is to add the user to the Administrators
group. What's gained by that? There are issues and what-ifs with any privileges
you grant to users. For every malicious user who would mount an elevation of
privilege attack, there are many more who wouldn't knowingly do so. The answer
in a perfect network is to not need to give users any elevated privileges at
all; but that's not going to happen until all user applications are written
to not require elevated privileges to run them, and when there's no need for
traveling users to manage their own computers. For now, you may have to continue
to use the Power Users group; train users in how to avoid external attacks that
might gain control of their accounts and use it to elevate privileges; provide
protection from these types of attacks; and insist on ethical behavior.
Oh, and while you're at it, audit Power Users' use of their special access,
so you know what they're attempting to do. Instilling good ethical practices
does work, but you may find it very difficult to completely eliminate mistakes,
external attacks, disgruntled employees and the rare sociopath from your organization.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.