Windows XP Pro Security Flaw

Hey, I’m using Windows XP Pro right now and I am the administrator. I have found a flaw in the windows security, or at least I think it is a flaw. This only affects you if you have power user accounts on your machines. The Security flaw lies in

C:\Documents and Settings\All Users\Start Menu\Programs\Startup (or something like that, I’m at a Win98 machine)

This folder is vulnerable because power users can create files here. By default, assuming an NTFS file system, only administrators are able to get into other administrators profiles. This is a loophole to that security, but not anymore after you read this.

For this folder, power users have modify ability. Change the permissions to the following

Administrators ---- Full Control
Everyone ---- Read & Execute

Make sure that only Administrators and Everyone appear on the list, remove everything else. ie. SYSTEM, CREATOR OWNER, Power Users, etc.

The reason for my concern is that a power user could create an executable program and drop it into the startup folder indicated above. When an administrator logs on, this program could add that power user to the administrators group, giving them complete and unrestricted control over that machine.

All a power user would have to do is create a BAT file, or an EXE if they know how to program. A BAT file could contain the following lines:

@ECHO OFF
net localgroup administrators USERNAME /add

This gives that user administrator privileges. If that was programmed into an EXE file, the administrator could log on and not even know what happened until it is too late. So for all you administrators who are concerned about security, change the permissions on that folder. Also, the power user could make it so that they can remove the administrator from the administrator’s group and make them a limited user.

Just thought I would let you know, good luck! :slight_smile:

Just did some testing, the same thing goes for Windows 2000.

Thanks for letting me and a bunch of low grade hackers know how to wipe out all the computer labs at school. j/k

Hmm this can be dangerous indeed, but there are too many other ways to get access to personal folders of users with administrator-rights. Just boot the machine with a bootdisk / cd and out the bat file you described in the startup folder of administrator…

Well, to protect yourself against that, you could always change the boot order in your system BIOS and put a password on it. What kind of bootdisk / CD is capable of that? All I know that can do such a thing is NTFSDOS.

if someone is sitting at your computer, then most security that you can apply is easily overcome. physical access is the worst kind.

Boot it with ERD commander CD and you have full control over files and users :bigsmile:

What program is capable of doing something like that for Windows XP Pro? As far as I know, ERD Commander is for Windows 2000.

a windows 2000 boot disk gives you full access to the winxp pro files that are not encrypted.

Hoenstly getting root on a windows box, is easy if you have physical axx.

Their are methods employed to make it hard, but they can be overcome.

Originally posted by CCDKing
What program is capable of doing something like that for Windows XP Pro? As far as I know, ERD Commander is for Windows 2000.

It works fine on xp, costs a fortune though
Also i found some kind of linux based floppy that will let you change the passwords on local users works like a charm :bigsmile: and totally free

edit
oh here it is http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Hmm I usually have a list I lock down after a install and this will now be one of them from now on

the linux program is useless if you change the location of the default place winxp places the registry. someone would need to know a particular path to where you keep it otherwise, and this would make security a lot harder to bypass. but if someone is by the pc and has physical access i’m sure that unless you take every effort and mess with the policy editor, almost anyone can with time gain control.