{"id":25043,"date":"2007-09-20T10:00:00","date_gmt":"2007-09-20T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/09\/20\/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-elevation-to-administrator\/"},"modified":"2007-09-20T10:00:00","modified_gmt":"2007-09-20T10:00:00","slug":"it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-elevation-to-administrator","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20070920-00\/?p=25043","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Elevation to administrator"},"content":{"rendered":"<p>Surprisingly, it is not a security vulnerability that administrators can add other users to the Administrators group. But that doesn&#8217;t stop people from claiming that it is.\n For example, it&#8217;s not uncommon for a vulnerability report to come in with the following steps:<\/p>\n<ol>\n<li>(a)&nbsp;Install this rogue service\/driver,     or     (b)&nbsp;copy this rogue program to your machine and change this     registry key in <code>HKEY_LOCAL_MACHINE<\/code> to point to it,     or     (c)&nbsp;<a href=\"http:\/\/www.pcworld.com\/article\/id,129781-pg,1\/article.html\">replace this file in the system directory with a rogue program<\/a>. <\/li>\n<li>Log on as an unprivileged user. <\/li>\n<li>Perform magical operation&nbsp;X. <\/li>\n<li>Boom! User is now an administrator! <\/li>\n<\/ol>\n<p> Wow, this looks bad. An unprivileged user can elevate to administrator and&#8230; wait a second, what&#8217;s that in step&nbsp;1?\n To perform step&nbsp;1, you need to have administrative privileges already. Only administrators can install services and drivers, only administrators can change registry keys in <code>HKEY_LOCAL_MACHINE<\/code>, and only administrators have write permission in the system directory. Therefore, this &#8220;vulnerability&#8221; basically says &#8220;If you can gain administrator privileges, then you can add anybody to the Administrators group.&#8221; Well, sure, but you really chose the complicated way of doing it. Once you get administrator privileges, just do a <code>NET LOCALGROUP Administrators Fred \/ADD<\/code> and you&#8217;re done.\n After all, why write a service or a driver when a batch file does the trick just as easily?\n An alternative  step&nbsp;4 is &#8220;Boom! User is pwnz0red!&#8221; Well, yeah, an administrator can install software that commandeers user accounts. This is hardly a surprise, is it?<\/p>\n<p> In a sense, this is &#8220;security vulnerability by obscurity&#8221;: By making your alleged exploit unnecessarily complicated, you can fool people into thinking that you&#8217;re actually onto something. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Surprisingly, it is not a security vulnerability that administrators can add other users to the Administrators group. But that doesn&#8217;t stop people from claiming that it is. For example, it&#8217;s not uncommon for a vulnerability report to come in with the following steps: (a)&nbsp;Install this rogue service\/driver, or (b)&nbsp;copy this rogue program to your machine [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-25043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>Surprisingly, it is not a security vulnerability that administrators can add other users to the Administrators group. But that doesn&#8217;t stop people from claiming that it is. For example, it&#8217;s not uncommon for a vulnerability report to come in with the following steps: (a)&nbsp;Install this rogue service\/driver, or (b)&nbsp;copy this rogue program to your machine [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=25043"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25043\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=25043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=25043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=25043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}