Happy bug hunt - windows security anomalies
Out for the weekend, hunting!
Experts, maybe someone would like to verify and analyse this strange behavior (seen on win7/8.x/10, UAC on):
--
You will be able to reproduce this on any win10 or win8.1 system, most probably also on win7, but I have only tested those two.
1 open secpol.msc, and grant the privilege "change the system time" to user "testuser"
2 login as testuser and try to change the time - works. Logoff.
3 add testuser to another privileged local group, for example "network configuration operators"
4 login as testuser, try to change the time... Access is denied.
Strange, isn't it? But as with all bugs in security matters, we need to analyze it. The same happens if in step 3 we use the group "power users". It does not happen for any other local groups, though, just these two.
--
(posted the same on technet, no one helpful over there)
Experts, maybe someone would like to verify and analyse this strange behavior (seen on win7/8.x/10, UAC on):
--
You will be able to reproduce this on any win10 or win8.1 system, most probably also on win7, but I have only tested those two.
1 open secpol.msc, and grant the privilege "change the system time" to user "testuser"
2 login as testuser and try to change the time - works. Logoff.
3 add testuser to another privileged local group, for example "network configuration operators"
4 login as testuser, try to change the time... Access is denied.
Strange, isn't it? But as with all bugs in security matters, we need to analyze it. The same happens if in step 3 we use the group "power users". It does not happen for any other local groups, though, just these two.
--
(posted the same on technet, no one helpful over there)
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I proceeded and found out the following:
When either in the groups network configuration operators or power users, the user gets a split-token at logon. People who are familiar with UAC will know what I am talking about, others, please stand clear of this question.
The problem is: until they activate their full token by elevating, they also lose the privilege to set the system time. This can be verified using the command
time
to set the time once on a normal cmd and again on an elevated cmd - different results!
For whatever reason, the GUI that let's us set the time is not correctly using UAC. It brings up a UAC prompt, but it doesn't accept the user's own credentials but will only accept those of an admin.
On the command line this works.
So it is definitely a bug in the GUI. I will report it to microsoft.
When either in the groups network configuration operators or power users, the user gets a split-token at logon. People who are familiar with UAC will know what I am talking about, others, please stand clear of this question.
The problem is: until they activate their full token by elevating, they also lose the privilege to set the system time. This can be verified using the command
time
to set the time once on a normal cmd and again on an elevated cmd - different results!
For whatever reason, the GUI that let's us set the time is not correctly using UAC. It brings up a UAC prompt, but it doesn't accept the user's own credentials but will only accept those of an admin.
On the command line this works.
So it is definitely a bug in the GUI. I will report it to microsoft.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial