Jesper's Blog : Power Users are Admins who have not made themselves admins yet

Sunday, March 12, 2006 11:32 PM by jesper

Power Users are Admins who have not made themselves admins yet

It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right now run as admins. Unfortunately, they are under the mistaken impression that making those users Power Users will help.

Power Users are simply Administrators who have not made themselves Administrators yet. There are access control lists, privileges, and other settings all over the OS that allow them to do so. Making someone a power users only makes it marginally more difficult to shoot yourself in the foot. It does not actually limit their privileges, nor does it protect them from malware, which can typically run just fine with Power User privilege.

Two related issues usually come up at about this point in the conversation. The first one is that some application requires at least Power User privilege. If that application is not an inherently administrative one it is broken. Period. Return it for a refund or a fixed version.

The second issue that comes up is that the organizaton is going to modify the permissiosn of Power Users so they are less privileged. If that is what you users need then why not make them users in the first place? It is really unlikely that you will be able to cripple Power Users sufficiently and if you do they become users, which is what you should have used in the first place. Some people try to cripple Power Users even though nobody should be in that group. Why? If nobody is in the group what difference does it make what privileges it has? Usually I then get the standard argument that "if someone is able to add themselves to the group..." Only Administrators could do that. If a user can do that they would not make themselves Power Users. That is a completely flawed argument. Besides, most people who try to cripple Power Users run afoul of KB 885409 and end up with a destabilized and unsupported system in the process.

In general, I prefer making people Administrators over Power Users. That way it is obvious that they have extremely elevated rights and a glaring problem is more likely to get fixed than one that is papered over.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Return Quickbooks for Refund

Monday, March 13, 2006 3:44 PM by Tales from the Crypto

I was going to title this post "Microsoft Representative Says to Return Quickbooks for Refund".&nbsp;...

# re: Power Users are Admins who have not made themselves admins yet

Tuesday, March 14, 2006 4:35 AM by BOFH

Even regular Users are Admins who have not made themselves admins yet....

# re: Power Users are Admins who have not made themselves admins yet

Wednesday, March 15, 2006 10:39 AM by JB

I know better than to put users in the Power Users group, for the reasons you described. My question is, what is the purpose of this group in the first place?

# re: Power Users are Admins who have not made themselves admins yet

Thursday, March 16, 2006 1:39 AM by jesper

BOFH, that is partially true. One might argue, for instance, that any user with physical access to the computer is an admin who haven't made themselves an admin yet.

The Power Users group was added long ago to provide a way to run applications that were written assuming elevated privileges. Over time, more and more things were added to the rights of that group and fairly quickly it went past the point where the group provided any isolation. Since then it has been there only for backward compatibility.

# re: Power Users are Admins who have not made themselves admins yet

Monday, March 20, 2006 1:43 AM by Steve Riley

It's very simple, really, and I can even put it in simple language.

admin = God
power user = Christ

And, according to the literature,

Christ = God

It follows, therefore, that:

power user = God

# re: Power Users are Admins who have not made themselves admins yet

Friday, March 24, 2006 1:28 AM by lpiatek

Christ isn't God! Read John 14:28..

# re: Power Users are Admins who have not made themselves admins yet

Saturday, March 25, 2006 7:53 AM by Where can I return my Microsoft Software?

Really good points, and I could agree with you more. I'm very ready to implement and also to advise my peer consultants to lower the Domain Users default additionally assigned Local Administrator group down to the Local User level. But if I do that in my SBS 2003 deployment things like Remote Web Workplace no longer work. Yes it is a nasty predicament because that is the number one coolest thing that customers like about SBS ...and there is no comparable competitive product. Plz I'd rather Microsoft fix this not provide refunds and returns.

# re: Power Users are Admins who have not made themselves admins yet

Saturday, March 25, 2006 1:47 PM by Susan

RWW doesn't need admin rights other that to initially get the Active X controls on the box in the first place.

Most software needs admin rights to get the software 'on' the box, after that they don't need normal admin to run.

Software typically always needs rights to install, it should not need rights to run.

# re: Power Users are Admins who have not made themselves admins yet

Sunday, March 26, 2006 12:41 AM by Scott

This is a great thread and article...most of us know this stuff but need to be hit over the head and reminded where we maybe going wrong. Keep up these great articles Jesper I really enjoy reading and getting your perspective.

# re: Power Users are Admins who have not made themselves admins yet

Sunday, March 26, 2006 1:00 AM by Susan

http://www.sbslinks.com/RWW-LUA.htm

Remote web workplace as LUA.

It works.

The problem is not hacking up the registry, I would argue.. but knowing if what we're hacking is ends up making our systems more insecure.

# re: Power Users are Admins who have not made themselves admins yet

Wednesday, March 29, 2006 3:47 AM by wkasdo

Here is the relevant KB. Helpful if you need to sell this.

http://support.microsoft.com/default.aspx?scid=kb;en-us;825069

# re: Power Users are Admins who have not made themselves admins yet

Monday, May 01, 2006 7:28 PM by kbiel

Sorry for the OT response, but someone else started it :p

lpiatek: Read just a few chapter back: http://www.biblegateway.com/passage/?book_id=50&chapter=10&verse=30&version=31&context=verse

Now back to your regularly scheduled topic...

While no security system will ever be foolproof, Windows will remain will continue to contain more holes than the titanic as long as MS insists on full backwards compatibility in each release of the OS. I read Raymond Chen's blog regularly and I appreciate the immensity of the problem with breaking backwards compatibility, but there are ways to mend the API (or restructure it entirely) using VMs and compatibility subsystems. Yes, they make the legacy programs run slower or in some crippled fashion, but it has got to be better than the current veneer of security we have to endure because Company X refuses to part with application Y that was written for Windows 3.11.

# BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

Thursday, July 06, 2006 7:59 AM by Shawn's résumé writing prevention tips

&nbsp;
OK.&nbsp; gripe time.&nbsp; One of my co-workers was asked by a customer, "Can you prevent a...

# The Power in Power Users

Sunday, November 05, 2006 12:30 PM by Mark's Blog

Placing Windows user accounts in the Power Users security group is a common approach IT organizations

# RWPT - BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

Friday, December 07, 2007 4:56 AM by Shawn's MIIS/ILM tricks, PKI Hints, and Résumé Writing Prevention Tips

OK. gripe time. One of my co-workers was asked by a customer, "Can you prevent a local admin from deselecting

# Plan now to eliminate "power users" from your domains

Monday, February 11, 2008 1:03 PM by Steve Riley on Security

I've seen some conversations lately about the Power Users group -- how powerful is it, really, and why

# Plan now to eliminate "power users" from your domains | Secure Software Engineering Blog

Sunday, March 02, 2008 1:59 PM by Plan now to eliminate "power users" from your domains | Secure Software Engineering Blog

PingBack from http://www.secure-software-engineering.com/2008/03/02/plan-now-to-eliminate-power-users-from-your-domains/

Name (required)
Your URL (optional)
Comments (required)
Remember Me?

Jesper's Blog

Tags

News

Archives

Security blogs

Power Users are Admins who have not made themselves admins yet

Comment Notification

Comments

# Return Quickbooks for Refund

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

# The Power in Power Users

# RWPT - BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

# Plan now to eliminate "power users" from your domains

# Plan now to eliminate "power users" from your domains | Secure Software Engineering Blog

Leave a Comment

Jesper's Blog

Tags

News

Archives

Security blogs

Power Users are Admins who have not made themselves admins yet

Comment Notification

Comments

# Return Quickbooks for Refund

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# re: Power Users are Admins who have not made themselves admins yet

# BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

# The Power in Power Users

# RWPT - BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

# Plan now to eliminate "power users" from your domains

# Plan now to eliminate &quot;power users&quot; from your domains | Secure Software Engineering Blog

Leave a Comment

# Plan now to eliminate "power users" from your domains | Secure Software Engineering Blog