Fri, Oct 27 2006 22:40
bradley
An OEM build
...so I was doing some testing on this workstation at home and couldn't figure out why it wasn't LUA freaking out like I expected it to.... well I think I found the answer...
http://www.threatcode.com/hp_oem.htm
That's an image of the permissions on the root of my HP Pavilion C drive here at home ....
Everyone - Full Control now keep in mind this system already has a Data Execution Protection Exclusion for the Help and Support Center... and it has worse security on the C: drive than Windows 2000's default permissions:
Members of the Everyone and Users groups (normal users) do not have broad read/write permission as in Windows NT 4.0. These users have read-only permission to most parts of the system and read/write permission only in their own profile folders. Users cannot install applications that require modification to system directories nor can they perform administrative tasks.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbe_sec_rzdw.mspx?mfr=true
On this .. nearly new, HP Pavilion computer... I might as well be running Windows 98. Because on this system the Everyone group DOES have broad read/write permissions all over the place.
How can Microsoft support the home/end user when the permissions that they've worked SO HARD to ensure are tightened up are not implemented in the systems that are used by home users... the ones that turn into bots and what not. What hope do we ever have in having security when manufacturers change defaults and NEVER TELL END USERS.
And go into any small business and we tend to not flatten these builds but use them "as is".
Can you tell I'm a bit shocked by HP's changing of the default permissions? To me this is unacceptable...that this is not disclosed... and the permissions are weakened so much on a home PC.
(To Karen....yes, it's a home PC as I stated ... all the more reason to not change the ACLs to Everyone Full Control...but there have been reports from other Security MVPs that OEM 'consumer grade' builds of boxes have adjusted permissions and ACLs.... given that there are times that you walk in and the owner hands you the machine from Best Buy...but even with business class machines, I'm finding too much crud on the box for my liking. Quicken, McAfee... there's too many other programs and crud on there that you don't have a standard image)
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")