psloss
Premium
join:2002-02-24
Alpharetta, GA
| Who else is having fun with OEM security defaults?
It was noted in a recent post that OEMs are tinkering with the default XP security settings; I am setting up an eMachines T6524 for family use and I found that the MCE 2005 install had pretty much the same alterations to the Microsoft security defaults.
Out of the box, the security on the %ProgramFiles% and %windir% directories differ from the Microsoft defaults by the addition of an ACE that allows BUILTIN\Users what amounts to "append" access.
In addition to the privilege escalation opportunities this presents, I also found that I could add files to "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" while logged in as only a BUILTIN\Users member, meaning that little imagination is necessary to get a startup escalated to run as admin.
Interestingly, it appears that the same ACE was added to several subdirectories under "%ALLUSERSPROFILE%" and I don't have my default XP MCE 2005 install to consult until next week, so I'm not sure whose default settings these are.
Anyway, I'm curious if anyone has tested this with their pre-installed XP on Dells, HPs, and so on...if you log in as a regular User account (non-admin), can you create shortcuts or copy files into the "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" directory?
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| P Sloss
is the ace rights in this picture what you refer too |
|
norwegian
Premium
join:2005-02-15
Outback | reply to psloss
desktop gives me a write protected error, but the startup i added a shortcut to Opera, no errors, or arguing here, not good
i wonder if my admin acct wasnt passworded , could you add a shortcut there too ?? |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| reply to psloss
ion |
You wont find this on default Install's of Dell computer's.
See Pic |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| i have that koma3504 on my computer, yet i can do as psloss mentions, and no DELL |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to norwegian
Re: Who else is having fun with OEM security defau
said by norwegian  :desktop gives me a write protected error, but the startup i added a shortcut to Opera, no errors, or arguing here, not good i wonder if my admin acct wasnt passworded , could you add a shortcut there too ?? Yup -- on the new eMachines system and on the Dell laptop I've had for 18 months or so. In the case of the Dell laptop, though, it was "staged" almost four years ago and was originally formatted as FAT32 and then converted to NTFS, which almost guarantees that the one can't configure the security defaults, particularly in the "Documents and Settings" directories.
I'm more interested in "OEM" machines purchased in the last year or so -- whether non-admins can create startups for admins like I've found on these two XP installs.
(By the way, the security on the file you posted wasn't the same. But then I'm more interested in the security on the directories I mentioned.)
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
norwegian
Premium
join:2005-02-15
Outback | reply to psloss
Re: Who else is having fun with OEM security defaults?
my computer is about 18 months old from a company in Perth, Australia, not sure we need to go into names , even tho i seem to have a gold embossed xp home disk it has the OEM number ontop of my box, if i can help let me know |
|
norwegian
Premium
join:2005-02-15
Outback | reply to psloss
i also have a mates dell sitting here ready for a clean install if needed |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: Who else is having fun with OEM security defau
said by norwegian :i also have a mates dell sitting here ready for a clean install if needed What I'm curious about is the way that XP is configured as delivered by the OEMs; a clean Microsoft install will give you Microsoft defaults, not Dell/HP/Gateway/etc. defaults. (The former finally being solid beginning with XP.)
--
Feedback? e-mail: stuff@lupwa.org |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to psloss
Re: Who else is having fun with OEM security defaults?
well ive reistalled with this OS cd supplied with my box, its XP home SP1, and after 12 or so reinstalls here i still can do as you say, which isnt what you are refering to if i understand it all correctly, which just deepens the hole, as it surely after install wouldnt do it you would think, so it is on OEM by default out of Microsoft factory
unless i go and buy another copy and install it
i believe the Dell here is a repair setup is it not, where as my CD has all the base system drivers, whereas Dell would have it all on the HDD, shouldnt it |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: Who else is having fun with OEM security defau
You might be able to reproduce the delivered configuration from a recovery CD (which is what we got here with the eMachines box), but that may vary from vendor to vendor. It's certainly not necessary if there hasn't been any tinkering with file system security; "out of the box" is the test case I'm curious about.
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to psloss
Re: Who else is having fun with OEM security defaults?
that is what is confusing me, my CD isnt a recovery disk as such like Dell's, yet some vendors do supply a higher level CD as you may say, but ive not changed any file permissions other than hidden the documents files for each user as per NTFS, so it is you could say 18 months later, still have the strange habit of being able to add a shortcut from a non admin acct, to an area i shouldn't be able to
just for reference my OEM is a gold embossed xp cd, where as the Dell has a black reinstallation disk,
please keep us informed of your findings, you have me curious now |
|
exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:  
 ·Cox HSI
·Suddenlink
 ·Cingular Wireless
·AT&T Southeast
·Charter Pipeline
| reply to psloss
Re: Who else is having fun with OEM security defau
No OEM security defaults but I did lock my system down with the NSA's XP Security Guide and my laptop still works! 
»www.nsa.gov/snac/os/winxp/winxp.pdf
Pretty good read if you ask me. Alot of interesting information in the guide.
Sorry for the so far-off reply.
--
New Orleans Baptist Theological Seminary student
Want to do something good for your community? Join the Fire Department!
exocetcm.blogsite.org |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to koma3504
said by koma3504 :You wont find this on default Install's of Dell computer's. See Pic Well, of course not. That is available only for SP2 users. I have a fairly recent Dell but I have SP1 installed. DEP is not available. I don't see what that has to do with Dell.
I'm getting a new Dell next week as a replacement of the present machine. It will be interesting to see if this ACE/builtin user stuff is there. I'm likely going to reformat it right away and I may install SP1 on it instead but if I reformat and put XP Pro SP2 on it from the Dell Reinstallation disk it will be a pure MS install. The Dell Reinstallation disk is NOT and never has been a "recovery" disk. It is a pure MS install disk and that is all...no Dell stuff on it at all. I have made it crystal clear (I hope) to Dell that they must include all disks in the box. They hate doing that which really irritates me.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | Yea they Really squawk about it the last dell I think it was a dimension 3000. They Said you are Not getting the Disk.
SO i told em Well let's see Customer chose NO Security;
Option when they Installed it and It's Installed.
So I think I need to send this one Back Since it's IN the first 30 Day's of Purchase. Well that did the Trick.
They Sent the Disk real fast lol.
They think there brekin a liscense agreement with Microsoft if they do. SInce youre only allowed one back up.
And they choose to put it on a hidden partiton.
Compaq dint like it when i responded to it Well I can always copt the pre-activated Partition and put on another computer.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by koma3504 : Yea they Really squawk about it the last dell I think it was a dimension 3000. They Said you are Not getting the Disk. SO i told em Well let's see Customer chose NO Security; Option when they Installed it and It's Installed. So I think I need to send this one Back Since it's IN the first 30 Day's of Purchase. Well that did the Trick. They Sent the Disk real fast lol. They think there brekin a liscense agreement with Microsoft if they do. SInce youre only allowed one back up. And they choose to put it on a hidden partiton. Compaq dint like it when i responded to it Well I can always copt the pre-activated Partition and put on another computer. What I was told was that the disks always come, whether asked for or not, with the XPS 600 series (which this one is) and that is because people who buy the XPS 600 are primarily gamers and they want to tinker with their systems so Dell accomodates them by sending all disks with the computer - free of charge also. For all other Dell Dimensions, for home or small business, Dell will send the disks (not just reinstall disk but the modem disk, the resources disk, Power DVD disk, Creative, monitor, etc.) if you pay for them. I never got the impression it had anything to do with a ghost image on the drive and violating MS rules.
Dell said most users throw the disks away so why should they send them to users that don't want them? I said that I thought the 9150 crowd would want the disks just as much as the XPS600 crowd but Dell says that isn't true. I dunno. They just better have put them in my box. I don't want to have wait for them to send them separately.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | IT shouldnt make a D**** who buys it or what system it is.
They should be Forced to send the Hologram cd and the driver cd's.app cd lke they Used to have to do.
If all the OEM would quit-tinkering with it the internet would be much cleaner. As a whole.
I think they have more excuses than answers IMO
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!! |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
 ·Verizon FIOS
| said by koma3504 : IT shouldnt make a D**** who buys it or what system it is. They should be Forced to send the Hologram cd and the driver cd's.app cd lke they Used to have to do. 'Forced' by whom?
I don't think they used to 'have' to do it either.
It's a market-driven world out there. If you don't like what someone's selling, don't buy from them, and tell them why. If enough people do that, they'll change their minds - they're not stupid.
But apparently most people don't care.
I probably wouldn't buy from someone who didn't provide CDs, but I don't see that your 'forced to provide them' suggestion has any merit, either.
I kinda wish my car came with a proper spare wheel as well |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | said by dave Forced' by whom?
I don't think they used to 'have' to do it either.
But apparently most people don't care.
but I don't see that your 'forced to provide them' suggestion has any merit, either.
I kinda wish my car came with a proper spare wheel as well
Once upon a time they Had to technology wast advanced enough to have th reovery partiton on the hard disk.
Yea most don't care till they need them.
Sure my Forced to has merit. MIcrosoft should force it so that the OEM can't tinker with the security settings.
Which inturn kills the Fat32 recovery partition that the OEM's are putting On the Hardrives.
Which Eleminates the Security of NTFS since fat32 does not have any security permissions like NTFS.
To the not so computer savy people that fat32 partition is a disaster. yea sure you can hit the F10 key and do a factory restore. But what if somthing malicious has wrote to the Partition There SOL.
With a Hologram Cd the OEM's cant modify the Security Setting's Making what ever windows version it is Vurnable.
Goes on the same Concept of.
If you build a computer yourself it comes with TrendMicro chipaway Virus detection at the Cmos level. Which Trend holds the patent on.
Now if you buy A OEM computer like Compaq Dell Emachine HP
Sony Vaio Gateway They Strip that Option out of the CMOS.
My theroy on this is because they are all installing NOrtan by default and can't have the cmos virus detection detect somthing NOrtan can't.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!! |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to psloss
For what it's worth, this system seems typical of the offerings nowadays -- it came with a system recovery disc. Using the terminology here it has a "Preinstalled Windows COA" (cert. of authority).
I can guess what the tradeoff was for the ACL tweaks (support call volume), but the security angle for me is how widespread this practice is; I believe these types of systems are popular and if a predominant number are set up this way, I also think the bad guys will use it for their purposes. Presuming this is a problem, it would have been an interesting race between the AV/AT vendors and the 0-day exploits that are out right now.
Procedurally, trying to "fix" this could be difficult, as settings like this are not easily reversible; Microsoft's current line on this doesn't bode well for coming up with a "general purpose" fix:
quote:
Extensive permission changes that are propagated throughout the registry and file system cannot be undone. New folders, such as user profile folders that were not present at the original installation of the operating system, may be affected. Therefore, if you remove a Group Policy setting that performs ACL changes, or you apply the system defaults, you cannot roll back the original ACLs.
.
.
.
To help you remove the worst results of such file and registry permissions, Microsoft will provide commercially reasonable efforts in line with your support contract. However, currently, you cannot roll back these changes. We can guarantee only that you can return to the recommended out-of-the-box settings by reformatting your hard disk drive and by reinstalling the operating system.
A lot of people in this forum can probably reinstall with their proverbial eyes closed, but most of my friends and family aren't sysadmins or computer specialists...and these are the kinds of systems they use.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
