Question for task scheduler experts

Hi experts.

Simple question: Are you aware of any OS mechanisms on Win10 that would create a scheduled task running as user? In other words: would windows at some point decide "hey, to 'help' the user, let's create a scheduled task as him that runs under his account"? I don't think so.

More challenging form of the same question: Would you expect that altering the permissions of c:\windows\system32\tasks leads to anything unwanted other than the user being unable to create tasks, if I set them as follows:
CREATOR OWNER:(OI)(CI)(IO)(F)
                          NT AUTHORITY\Authenticated Users:(OI)(CI)(Rc,S)
                          NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                          BUILTIN\Administrators:(OI)(CI)(F)
                          NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(W,Rc)
                          NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(W,Rc)

Open in new window

(this simply took away write permissions for authenticated users)
LVL 61
McKnifeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
I'm not sure that I understand your question. I have some scheduled tasks running under my account to do data maintenance. Why should a user not create scheduled tasks? Automation makes people more efficient.
0
McKnifeAuthor Commented:
There is a 0-day exploit by SandboxEscaper that allows users without any knowledge to elevate to admins - that is why. The altered permissions prevent this.
0
ste5anSenior DeveloperCommented:
There is a 0-day exploit by SandboxEscaper that allows users without any knowledge to elevate to admins - that is why. The altered permissions prevent this.
Do you have references for this?

Cause https://www.kb.cert.org/vuls/id/906424:
Solution
The CERT/CC is currently unaware of a practical solution to this problem.

I guess the only solution would be stopping Schedule (the task schedulers Windows service). But this would break a lot of MS and infrastructure services.

I haven't looked into the PoC (https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar), whether it requires to create a task successfully, thus this maybe even not working at all.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

McKnifeAuthor Commented:
"Do you have references for this?" - you found anything you need to know with the PoC. There's a word doc within with details about how it works.

"I guess the only solution would be..." - no, the only workaround seems to be what I found. Task scheduler continues to work and execute existing tasks, the system account and admins may still create tasks, all good, and the exploit does not work anymore.
I just wonder if there could be any side effects apart from users being unable to create tasks for a while (which is no problem for us).
0
McKnifeAuthor Commented:
Ah, I guess with references you mean references that prove this ACL alteration prevents the exploit? No, Just thought that the PoC description makes clear that the crucial point are the write permissions to that tasks folder which authenticated users have. Took them away and could verify that the exploit no longer works.
0
McKnifeAuthor Commented:
Just to let you know: I have deployed that ACL in out network and it has had no side effects so far.
0
McKnifeAuthor Commented:
Patched by now.

I used the described Workaround without Problems, by the way. It turns out to be a practical way to keep people from using the Task Scheduler, by the way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.