Re: Can a member of "power users"...

Wed, 09 Jul 2008 09:31:13 -0700 

On 9 Jul 2008 at 11:13, David Mazzaccaro  wrote:

> Windows XP Pro SP3
> Can a member of "power users"group:
> Install local printers?
> Configure wireless network settings?
> I have laptop users who I do NOT want to be local admins, but I would like 
> them to be able install 
> a home printer and/or configure their laptop for their home wireless network.

Looks like that will work:

    By default, the rights and permissions that are granted to the Power Users 
    group include those rights and permissions that are required to allow 
    members of the Power Users group to modify computer-wide settings, to 
    install drivers, and to run (or install) non-certified programs. 

http://support.microsoft.com/kb/825069

Note that the title of this KB article is: "A member of the Power Users group 
may be able to gain administrator rights and permissions in Windows Server 
2003, Windows 2000, or Windows XP" -- Power Users can elevate themselves to 
local admins without too much hacking.  See: "Power Users are Admins who have 
not made themselves admins yet" 
http://blogs.technet.com/jesper_johansson/archive/2006/03/12/421870.aspx  

and also this dicussion:
    "Full Disclosure: MS Windows Screensaver Privilege Escalation"
    http://seclists.org/fulldisclosure/2004/Nov/1184.html

    On Windows XP all releases, when you replace, or change the screensaver 
    displayed on the login screen with a specially crafted version designed to 
    execute programs, those programs are launched under the SYSTEM SID, IE: 
    they are given automatically the highest access level avalible to Windows. 
    This level is not accessible even to administrators.  

    This flaw is important because while one would need Power User privledges 
    or above to change the Login Screensaver, ... A similar flaw exists in 
    Win2K, but Microsoft has ignored it.

All a power user has to do is make the login screensaver run CMD.EXE and s/he 
has a command-prompt with system privs.

MSKB 825069 (above) offers two workarounds: 1. Don't use Power User's Group and 
2. Only run MS Certified applications.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
+-----------------------------------+




~ Upgrade to Next Generation Antispam/Antivirus with Ninja!    ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Reply via email to