Here is another
recommendation from Microsoft:
The Windows user accounts that developers use normally should be added to either the Users or Power Users Groups. Developers should also be added to the Debugging Group. Being a member of the Users group allows you to perform routine tasks including running programs and visiting Internet sites without exposing your computer to unnecessary risk.
I am puzzled and disturbed why Microsoft suggests adding that account into Power Users' group given the result of a detail investigation of its exploit opportunities that concludes:
a determined member of the Power Users group can fairly easily make themselves full administrator using exploits in the operating system and ones created by third-party applications.
[...]
The lesson is that as an IT administrator you shouldn’t fool yourself into thinking that the Power Users group is a secure compromise on the way to running as limited user.
With the availability of runas, /netonly option, there is no need for the default log in account to be a member of Power User. Therefore one should disregard the 'Power User' group in the recommendation.
No comments:
Post a Comment