Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Plan now to eliminate "power users" from your domains

Plan now to eliminate "power users" from your domains

  • Comments 1
  • Likes

I've seen some conversations lately about the Power Users group -- how powerful is it, really, and why did we remove the group from Windows Vista?

That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed installer that allows standard users to install packages signed by a trusted root. (The "Trusted Installer" is a service that has a SID, so you'll see it in the permissions list on various objects throughout the operating system.) The installer validates the signature chain, then elevates itself to perform the actual installation. Now, standard users can install and update approved software without having to grant membership in the too-powerful Power Users group.

We deprecated the Power Users group and removed it wherever we detected it on ACLs. We recommend that you do the same.

More details in these blog postings:

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment