lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 25 Aug 2013 02:07:18 +0200
From: "Stefan Kanthak" <>
To: <>
Cc: Full Disclosure List <>,
 BugTraq <>
Subject: Re: Defense in depth -- the Microsoft way (part
	8): execute everywhere!

Jeffrey Walton wrote:

> Hi Stefan,
>> ... administrative rights for every user account

This WAS the default for user accounts back then, and still IS the
default for user accounts created during setup.

> Hmmm... XP/x64 appears to have a bug such that the second user also
> needs to be admin (perhaps XP/x86, too). XP does not recognize the
> first account as admin, so the second account cannot be limited (at
> least on my test box).

1. A "normal" (read: attended) setup of XP forces you to create at
   least one user account (besides the always created "Administrator")
   during setup which gets administrative privileges.

   You can demote this user account on the command line with
   "NET.EXE LOCALGROUP Administrators %USERNAME% /DELETE" as well as
   interactive with "MMC.EXE LUSRMGR.MSC" and
   "RUNDLL32.EXE NETPLWIZ.DLL,UsersRunDll" alias
   "CONTROL.EXE Userpasswords2".

   Only the dumbed down "User Accounts" control panel applet
   (run via "CONTROL.EXE NUSRMGR.CPL" alias
   "MSHTA.EXE res://NUSRMGR.CPL/nusrmgr.hta") insists on having a
   second user account (besides the builtin "Administrator") with
   administrative rights and does not allow to demote the second
   (superfluous) administrative account.

JFTR: neither the dumbed down "User Accounts" control panel applet
      nor "CONTROL.EXE Userpasswords2" show disabled accounts.

2. The "out-of-box experience" allows you to create up to 5 user
   accounts during setup, which all get administrative privileges.

3. An unattended setup of XP does NOT force you to create a (second)
   user account (besides the always created "Administrator") at all,
   and allows you to disable the "out-of-box experience" too.

4. After setup the dumbed down "User Accounts" control panel applet
   defaults to create administrative accounts (and forces you to
   create an administrative account if there is only one, for
   example after unattended setup), while "MMC.EXE LUSRMGR.MSC" creates
   "users", and "CONTROL.EXE Userpasswords2" creates user accounts as
   "power users" (it shows a dialog with "users", "power users" and
   "administrators" where "power users" is selected).

The result: Jane Doe has administrative rights, via the user account
created during attended setup or afterwards with "Users & Passwords"
and its default setting.


> Vista and above make the first user admin, but others users default to standard.

It's basically like XP: the (attended) setup forces you to create at
least one user account which gets administrative privileges.

The result: as long as John Doe uses his Windows PC with just the
user account created during setup he is administrator.


[ fullquote removed ]

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists