Secure superowner above admin

[lakmilis]

Hi there... I need to get something straight with the underlying security layers or permisisions of vista (ultimate).

I have created a group SUPERUSER in which I have added my admin user account (NOTE, not administrator but another account with Administrative privileges, i.e. is part of group Administrators).

I have only added this one account to the superuser, and NOT the administrator.

Now... This is because I wish that the superuser has a folder lets say where not even the other administrators can access!

Question is this: Should I add SYSTEM as well as SuperUser (both with full rights) and remove ALL OTHER GROUPS to this folder..

Or CAN I LEAVE OUT SYSTEM? If I leave out system, can the folder get unstable due to hmm attempts to defragment or other things.

Also, if system is part of the groups which can have full rights.. Does that compromise security? i.e. Can a script or a cloaked accesser access then this folder through running as a SYSTEM process?

Final question as well.. when creating the SuperUser group... should I add system to it? (As in, is SYSTEM , implicitly part of the adminstrator group or not?)

Cheers... I really want to be the 'boss' of my system.. I allow other administrators on this system but to be honest.. Vista is so insecure.. I mean another administrator accounts just need to type net [user] PASSWORD or so and voila.. has changed the password and can access the account.

I really think this is ridiculous.. although it is good of course when you wanna save your computer... However... I want one SUPERADMIN to be above all accounts, inncluding the internal administrator... As mentioned, can anyone give me advice on if SySTEM has to/doesn't have to have access to that folder(s) .
PS. If I do this to a drive root... would it be crazy NOT to add SySTEM to it? (again with the same reasonings).

PPS. Of course.. there is also a possibility or adding SYSTEM temporarily if I would wish it to defrag the drive/folder or other operations. I just need to know if it is stable in the course of time during 'normal' use.

And FINALLY LOL (sorry), I would like to make a script which I could run on a folder or file or drive (a location) which automatically removes all user rights and adds only SuperUser with full rights. Alternatively add more usability like.. exporting current settings first.. so that it can be reversed by a simple argument.

Any ideas on all this? Please... I really thought security by now should be able to become quite persistent in vista ultimate.

waiting for useful ideas : )

(SO far, I only have provided help on these forums.. no one ever seems to bother replying to my issues lol

)

solar

 

[PainlessTorture]

Erm...anyone with administrative privileges can override the security permissions and grant themselves access.

May I propose a new idea? Make your admins "Power users" and keep your "SuperUser" as the administrators.

Anyone in the Administrators group basically have unrestricted access. Even if you deny them access they have the power to override assuming they know how to.

 

[lakmilis]

Well ye I know but need administrators. So there is a hardcoded privilege level. No way then to write or 'patch'my system , injecting a higher security level than administrator? sigh... sucky sucky..

 

[lakmilis]

Hmmm. Your answer made me think. The easy solution is luckily local policies then. Disabling Group Administrators to take ownership of files. Allowing only the superadmin group/user to be allowed to do so. However... I wonder if other administrators would be enabled to access this setting or can I also exclude gpedit.msc from administrators ability to run/access this?

If so, that soves your take on it. But I am still wondering about system stabilit if I would create such a drive/folder where not even admins can take ownership then, and system is not included in to it... eg. setting system to deny?

etc

 

[lakmilis]

I don't want to play around too much with you see.. as I do not know if I would lock down a file totally if I would do this.. perhaps not even being able to format a drive due to it. (I guess it should be able to from other OS and if not, then I guess reinstall is only way... in any case.. it's better to hear from some experts first.

cheers

 

[PainlessTorture]

Ok let me just make this very clear. No matter what security measures you put in place, anyone in the administrator group will be able to override. If you delete the gpedit.msc from the system they will modify the registry. If you block access to the registry they can boot from a linux disk and modify it from there. If you put a password on booting to a disk they can reset the BIOS. There is NO way to secure a system as long as you let others use it. You can go from a restricted user to an admin in the time it takes to reboot plus enter a command. Its very simple for a hacker to gain access.

Im sorry, the answer is no. You cant stop people hacking in even when they dont have access never mind stopping an admin.

Although, when I thought about it...using the EFS to encrypt the SAM from the system account would defo provide extra security. You would have to find a way to do it though and you cant do it while the OS is in use...

Sorry
Fearghal

 

[lakmilis]

No I know... I like you point out realized just after posting , that even if I would restrict gpedit, Admins would just use regedit LOL to enable. And yes, as you point out, so much can be done. BUT .. the situation I was interested in was a 'naughty admin' .. not a hacker. I am aware that a hacker I am not securing against. (which is good enough). But I want AS admin on my system, to be able to restrict access to other admins within the system itself... (nevermind linux etc).

But now at least I see how your answer 'toggled to advanced' mode and I was not at all interested in the basic mode. I have used and mucked around with computers since I got the ping pong game when it came out.. then an amstrad, then monochromatic comps and laptops.. followed by dos 6.2 , win 3.1 etc

Anyway.. that was a complete digression. Hmmm .. Ye encryption.. I do think efs can get hacked too though. But anyway... speakign of that... I am so pissed off with microsoft , erm OEMS... I bought this laptop in fact due to old one dying (HP faulty mobo), and my old disk is PERFECTLY FINE... but hey... I can't ACCESS it, even on a similar model... due to BSODs cos of hardware differences... J*** &^%&^$C& *&)(*&%^^&$*^ ... Anywway... I accessed all the data from it as secondary disk of course.. bar my encrypted files!!!!! I lost my usb 4 months before, which of course had the efs backup and DOH.. All i woudl need todo was to log in to my old account and decrypt a lot of essentioal data. Instead I can't do nothing ... thanks to microsoft's HEY I DON'T WANT YOU USING THAT DISK OF YOURS NOW INSIDE ANOTHER LAPTOP. f80(*(*&^c(*ts

(sorry.. when I start thinhking about how big that company is, and all th eways they try to enforce stuff... one can not do else but find it ridiculously pathetic, how little windows has come in terms of integrity, security, stability?) windows only advances is its simplicity of installing stuff... device n driver manufacturers develop for microsoft moe than linux. and it is made eternally for the noob. For anyone who hasn't been silly enough to try windows or computers in general, like 60 year olds perhaps.

*growls*

 

[PainlessTorture]

There is a power user group that does not have full administration privileges. It only allows them to do limited things. That is the only option I can see. As long as your only trying to restrict a 10 year old kid or a novice it should be fine. I am only 15 and so far have never been stopped by restrictions so maybe even a 10 year old cant. In school I was not an admin to start with and the SAM wasn't even on the local station and I still managed to give myself administrator power. Its just not possible to secure anything these days unless you have someone monitoring the system 24/7.

You should defo check out the power user group. I think it would be your best option. And one other thing, any admin can change the "Super Owner" password and just use that account...

Also EFS could be hacked, now that I think of it I think anyone in the admin group can decrypt the file...Seriously making someone an admin is giving them full control. All you can do is maybe make it hard for them, but if they know what they are doing they cant be stopped no matter what level of access they have.

Sorry
Fearghal

 

[Barman58]

Hello lakmilis, and a belated welcome to the vista forums

Rather than creating an group above the system created Administrators I would personally create a group below that level such as the one suggested by Fearghal. Once this group is created move all actual user members of the administrators group to the new group, except for yourself of course

you can now use Group policy to set the rights of the new user group to whatever you want without compromising the integrity of the Administrators group. this group can be given access to certain selected administration tools as you deem fit.

If you have any concerns about a rouge user causing problems I would advise you consider using the built in auditing functions.

Most of this methodology comes from the network management field but can with a little work be adapted for a single multiuser system.

As a Side note If you wish to set these security systems to protect certain files or folder locations then something like Truecrypt may better meet your needs.

 

[lakmilis]

cheers, barman...

Ye.. the only thing is I feel that moving over the administrators would be a bit of an arduous task (I thought of th epowerusers myself, but would in effect have to reassign all group assignments from admins to powerusers.. blah.. plus I in the end want to hand as much admin rights as possible to the group I had in mind.) I just wanted windows to have the possibility to play around with hierarchy levels.

EG. when one chooses deny to one group, but allow to another, if a user is in both, he will be denied. I would like if windows ultimate versions could give us the option of choosing this methodology.. i.e. should deny or allow take precendence... or could the settings of a higher level group belonging take precedence.. this imho would be the best.. so that if one user is a poweruser and administrator but powerusers were denied, he would still have access due to allow permissions to his higher group level. So being able ot assign an integer value say to the groups , ranking them in a hierarchy.

Plus.. if one goes to such extent as moving all the rights, does anyone know if I can script these values.. so that if I reinstall my system, I just would have to run a script to set the policies and rights back to how they were then?

lak

Ps. cheers for the welcome ;p

 

[PainlessTorture]

Lakmilis, if you tell us what your trying to do as in are you trying to stop the Standard Administrators doing a specfic task im sure we would be able to write some sort of patch to block it but you would need to be specfic.

 

[Barman58]

Hi lak,

I agree it is a major task to change from the standards - there are, I believe, suitable tools to perform this sort of set-up on client server networks, controlled through Active Directory, but these are either not readily available or too costly for single machine use.

The Structure is, unfortunately, designed to be built before, rather than after, the system is commissioned and populated with users.

This type of major change is scriptable and I believe Powershell may have suitable functionality, although I have not yet found time to investigate it's possibilities

In addition there are various tools for AD and permissions structure analysis & documenting including those in the Free Sysinternals suite

With regard to the deny attribute I was always taught to use this only for short term fix and troubleshooting purposes and in that situation the working method does make more sense.

There are some good resources available throughplaces such as ZDnet and trechrepublic which you may find helpful.

It's one of those things where the cost, (time), have to be wieghed agaist the benifits (security), and of course you are the only person able to do this

Hopefully you can find a system that works for you

 

[lakmilis]

hey barman and fmc.. thanks for replies... well barman yes.. with AD one can.. but I have a system which I wish to try and become independendtly fulfilling my premises.. I can run a virtual server 03/08 and then one could sort it... (although) the thought in this was how about a stand alone vista ultimate, a system with no servers involved but still one admin (the owner) letting admins run the system but being able to do things as he WISHES it to be aka unix style. Anyway, when it comes to barman's comments yout thoughts reflect mine. I am not super in scripting etc.. I do NEED to look up resources.. (I am no superb hacker/sysop exactly but we like to explore windows little by little). FMJ, I was being specific to what you werre mentioning: e.g. make a user above admins so they can not access change the properties of a drive/folder). Including stopping all attempts to do so within the operative system.

I excluded the linux OS, startup registry to hack admin accounts etc.

lak

thanks for replies... nice to see someone gets involved in the question at hand.