Reviews:
 ·WestNet Broadband
1 edit | Privileges From a limited user, you look at needing admin permissions.
Example:
When you use the admin password for allowing such permissions, after you do not need to re-enter the password to gain permissions, for example a simple image, file or file location etc.
I'm just wondering how good is this process / methodology?
Is there a need to stop doing it and log in as admin to process the changes required, and/or stop doing it all together to access file directories from a limited user.
Just wondering on the security implications of such a rule that is set in place....is there a need to undo these changes in a security sense and if so, what would be the easiest, do you need to log in as admin, find the specific location or file and change back the rule? Does it create a hole in the layer?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| Re: Permissions i wasn't able to follow what you were saying..
if you need to change the permissions for a folder, or for a file, i don't thinik that it is anything to worry about.. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | I think he's confusing 'privileges', which accounts have, with 'permissions', what files have.
But I'm still not sure what the question is.
Once you've changed the permissions on a file, they stay changed. Don't change 'em unless you want to change 'em. This is not a 'hole', it is how the protection system is intended to operate: a file knows who is allowed to access it. Of course, be it on your own head if you let the wrong people access it.
Entering the admin password affects the available privileges, by giving you a security context equal to the admins, very loosely speaking. Apparently you only need to do that once (per login)? I don't know, I don' t run in that mode. In which case there might well be a case for logging out to get rid of that elevated context, though it seems unlikely to me.
So, what's the question?  |
|
Reviews:
·WestNet Broadband
| Sorry gents, this seems to be a question on privileges.
If I allow access for instance to "my pictures" in the admin account from a limited user, I believe it is set in place and subsequent reboots does not prompt for the same privileges again.
Would this create a security risk?
I remember Lawrence of PSI fame asking a question on XP and short cuts that were allowed to be placed from a limited user into an admin account and what sort of risk it posed........in fact straight to the c:\ path from memory.
Now with Windows 7 and the updated way it interacts, I find I'm always allowing jobs to be processed, either updates, file transfers between users and the such within the limited account and gaining access to admin rights without logging out by using the admin password at the prompt presented to the limited user. While new software will always prompt for admin rights and quite often even in an admin account you still need to right click for admin rights with UAC on, I'm finding folders or paths in the directory do not behave this way, once the rule is set with using an admin password in the limited user prompt it will not request it again for the same directory location.
Would this poss a similar risk as in the XP setting (If only I could remember the topic back then) in Windows 7 with the admin password allowing the file directory you have just used to be accessed any time at all while still supposedly under the limited privileges?
Hope this isn't confusing...maybe a few pictures will help. 
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to dave
said by dave:Once you've changed the permissions on a file, they stay changed.
No, this isn't what I am on about. Seems you have picked the flaw in my terminology.
This isn't about the security tab on a file and changing parent/child rights.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to norwegian
said by norwegian:If I allow access for instance to "my pictures" in the admin account from a limited user, I believe it is set in place and subsequent reboots does not prompt for the same privileges again. As far as I can remember without setting up a test case for me to try, that was a permissions change on 'my pictures'. You added an access control list entry ('ACE') that gave the limited user access to a particular directory.
Adding that ACE required admin-level access. The requirement for admin-level access caused a UAC elevation prompt that demanded you supply an admin password.
Note the subtlety: the password is not needed to 'grant access'. The password is needed to make the permanent change that grants access.
Once the ACE is added, it's added. No further change is ever needed, so there is no further prompting.
Would this create a security risk?
What is your goal in giving mr. limited user access to the admin 'my pictures'. Is is just to allow him to look at the pictures? Then I'd consider allowing him to read only and nothing else.
To do that, though, I personally would start by logging in as the admin and explicitly modifying the permissions on the directory, to grant exactly what was needed and nothing else. But I'm used to the low-level mechanism and don't hold with this automatic stuff. |
|
1 edit | reply to norwegian
Re: Privileges i just keep copies of files in the "my documents" folders for both user-accounts, so no need for the limited-user to access the "my documents" folder for the administrator account..
(there are some files that i only keep in the "my documents" folder for the administrator account because i want them to be secure).. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | Why not use 'public documents' for that which is public? |
|
Reviews:
·WestNet Broadband
| reply to dave
Re: Permissions said by dave:said by norwegian:If I allow access for instance to "my pictures" in the admin account from a limited user. You added an access control list entry ('ACE') that gave the limited user access to a particular directory. Once the ACE is added, it's added. No further change is ever needed, so there is no further prompting. Theoretically any changes made at this level, while I thought the best policy, it is in fact making creating a security risk. The "my pictures" was just an example to help explain what I'm querying, the method is what I was wondering on.
Would installing software then this way, would that also allow the same rule (ACE) to be in place too?
said by dave:To do that, though, I personally would start by logging in as the admin and explicitly modifying the permissions on the directory, to grant exactly what was needed and nothing else. But I'm used to the low-level mechanism and don't hold with this automatic stuff.
Which is what I will do from now on. If I need to access the admin user, I will never do it from a limited user using a password prompt, unless there is times when this does not affect the permissions and is safe?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to dave
Re: Privileges said by dave:Why not use 'public documents' for that which is public?
Wouldn't that allow for lowered security if you were using public folders for non-file shared machines?
I think I'd prefer to log into the admin acct and process what is required then log back into the limited user. I started all this due to being lazy in nature and I've always wondered on security of using an admin password in a limited acct is doing to my protection.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to norwegian
Re: Permissions said by norwegian:Would installing software then this way, would that also allow the same rule (ACE) to be in place too? No, this is about changing the permissions on a file.
The fact that 'changing the permission on a file' and 'installing some software' both require elevated access, and elevated access requires you type a password, is not really significant.
Unless there is times when this does not affect the permissions and is safe?
|
|
|
|
Reviews:
·WestNet Broadband
| said by dave:No, this is about changing the permissions on a file.
The fact that 'changing the permission on a file' and 'installing some software' both require elevated access, and elevated access requires you type a password, is not really significant.
So a directory alert "give me access" and subsequent admin password alert in the sense of what you explain for a specific file is just as bad then? For instance an alert for "my pictures folder" in the admin user when in a limited user instead of a picture or document?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8
1 edit | I don't comprehend "just as bad". Do you want the limited user to have access to the directory or not? It's not a case of bad or good, it's a case of deciding who you want access to what. Do you want this limited user to see one photo or all photos? Do you want this limited user to be able to delete photos?
On the off-chance that "the admin" and "the limited user" correspond to the same human being, then sure, go ahead. Except in that case, why bother putting the photos in the admin's directory, why not just keep them in the limited user's directory?
You see where I'm going here? You're asking low-level technical questions, but I keep coming back to "but what are you trying to achieve here?".
We seem to be getting deeply rat-holed here. So let me try and summarize:
- If the limited user clicks on a protected directory or file, and gets the pop-up that says "click here to get permanent access", and supplies a privlieged username/password, then that will modify the access control list on the dir or file to give full control to the specific limited user. It is the same as having the privileged user log in and make the change via the security tab.
- This in itself is not inherently good or bad, though you need to trust the limited user not to do anything bad (might not even be a value judgement about a person: I don't trust my media center PC with write access to my photos, it's only allowed to read them. Helps minimize the effect of bugs.)
- The 'public documents' folder exists specifically for document-sharing, so if you really want fully-shared photos etc, why not put them in the public folder rather than in the admin folder? |
|
Reviews:
·WestNet Broadband
| Aim of thesis:
To decide whether my laziness in using a limited user and allowing admin privileges to sections Microsoft don't allow by default in user profiling could become a security risk if malware expoited my system.
This is not a school project either.
It's not a biggie, just something I've pondered for some time.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | "It depends". Little harm is done in the case you cite, but of course if your admin account ever has content you don't want the limited user to play with, then you shouldn't do it. This is about protecting your documents in an appropriate way. And that, of course, is why it defaults to no-access-by-others. |
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
·Frontier Communi..
| reply to norwegian
Re: Privileges In a related sphere, I'm curious whether/how one can determine which files and folders may have been made accessible over time for a given limited account (other than brute-force going through each of the bazillion files/folders on the system to check their permissions one at a time)? That is, is there a listing within Windows (or some other software) that can show in one place which files/folders a particular user has permission to access? For a long time, I've wished Windows Explorer, within a limited account, had an option that would only show files/folders that the user has permission to access.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
Reviews:
·WestNet Broadband
| reply to dave
Re: Permissions •Okay, so if I'm playing with 'my' two accounts it really is not of concern, but to do it from an "all users can use" account is not safe hex.
•And the odds of a user-land rootkit or malware jumping privileges due to my own misfortune in the way I work isn't really big either, due to the fact there is no reason to change system file ACE permissions which would create a real concern.
Thanks, curiosity got the better of me again. Appreciate your time explaining this.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to Blackbird
Re: Privileges
Yes, it has crossed my mind at times too. Would a calcs function do this? |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
| said by norwegian:Yes, it has crossed my mind at times too. Would a calcs function do this?
I don't know, and I wish I knew of something. In the past, in a very few moments of crisis or weakness within a limited account, I've had to allow access permissions to several folders/files to get immediate access to an important piece of information from within a limited account (logging out/back in to the appropriate account taking too much time at that moment). Usually the situation had required other immediate action on my part, such that by the time I got back to the computer and refocused on what had transpired, I couldn't readily recapture which or all of the permissions that had been altered along the way to getting the correct information. Over time, there have accumulated several such episodes, and it would be really useful to be able to look at a listing of just the files/folders that the limited-user account has permission to access so that any unwise permissions can be reverted.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | icacls /?
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
finds all matching names that contain an ACL
explicitly mentioning Sid.
e.g.
C:\users\dave>icacls * /findsid dave
SID Found: a.tmp.
SID Found: AppData.
SID Found: Application Data.
SID Found: Contacts.
SID Found: Cookies.
SID Found: Desktop.
SID Found: dir.tmp.
SID Found: Documents.
SID Found: Downloads.
:
:
|
|
