Happy bug hunt - windows security anomalies

McKnife
McKnife used Ask the Experts™
on
Out for the weekend, hunting!

Experts, maybe someone would like to verify and analyse this strange behavior (seen on win7/8.x/10, UAC on):
--
You will be able to reproduce this on any win10 or win8.1 system, most probably also on win7, but I have only tested those two.

1 open secpol.msc, and grant the privilege "change the system time" to user "testuser"

2 login as testuser and try to change the time - works. Logoff.

3 add testuser to another privileged local group, for example "network configuration operators"

4 login as testuser, try to change the time... Access is denied.

Strange, isn't it? But as with all bugs in security matters, we need to analyze it. The same happens if in step 3 we use the group "power users". It does not happen for any other local groups, though, just these two.
--
(posted the same on technet, no one helpful over there)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kyle AbrahamsSenior .Net Developer

Commented:
Is the privilege denied for NCOs?   A deny will take precedence over any grant.
Distinguished Expert 2018

Author

Commented:
No. Defaults on clean systems. Take a minute and reproduce this.
Distinguished Expert 2018
Commented:
I proceeded and found out the following:
When either in the groups network configuration operators or power users, the user gets a split-token at logon. People who are familiar with UAC will know what I am talking about, others, please stand clear of this question.

The problem is: until they activate their full token by elevating, they also lose the privilege to set the system time. This can be verified using the command
time
to set the time once on a normal cmd and again on an elevated cmd - different results!

For whatever reason, the GUI that let's us set the time is not correctly using UAC. It brings up a UAC prompt, but it doesn't accept the user's own credentials but will only accept those of an admin.
On the command line this works.

So it is definitely a bug in the GUI. I will report it to microsoft.
Distinguished Expert 2018

Author

Commented:
Self-solved.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial