Howto: set admin group as default owner

Discussion in 'other security issues & news' started by Gullible Jones, Apr 6, 2010.

Thread Status:
Not open for further replies.
  1. Since I've been scouring the internet for info on this for several days, I figure everyone here who hasn't seen this could also use some help. So...

    From what I understand about Windows (which isn't much :oops: ), the creator of an object (registry key, file, etc.) is by default given ownership over it, and therefore permission to do anything with it. If you're using a limited user setup, this is bad; it means that your account has ownership over stuff installed through it even though it's now supposed to be limited.

    SuRun fixes this for you. But suppose you're not using SuRun for some reason? Well, it turns out you can change the policy via the registry.

    Just do this:

    - Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    - Find the value "nodefaultadminowner"
    - Change it to 0 (zero)

    This will prevent applications installed FOLLOWING THE EDIT from being owned by your user. However, it will not change permissions on CURRENTLY INSTALLED applications; that must be done manually.
  2. Sully

    Sully Registered Member

    Dec 23, 2005
    Yes indeed. I have tried many approaches at scripting this very issue. It seems though that while I have uncovered many tidbits of infos that I was not aware of, to do this natively with what is already on your machine proves to be an effort in futility.

    It comes down to either creating special groups etc like the SuRunners group, or using a tool that is not native already.

    The problem is that you must be careful when ravaging the inheritance of the containers and objects (directories and files). It is an inheritance issue that is propogated from the installation process from what I have found.

    I have manually fixed the issue, but that is no fun at all. If I can't automate it, I find the pleasure factor drops to near zero.. for some strange reason. If M$ would give a good object model on thier thus far "undocumented" parameters of a few things, it might be possible to do from one .inf file. Ah, the search continues.. in my seemingly shrinking free time :)

  3. Yeah... So far the best setup I've been able to get seems to be with Win2k Pro on my dad's general-use box:

    - Install and create a user
    - Log in as admin and install drivers, service packs, and SuRun
    - Make the user a surunner and set the registry key
    - Log out and back in as the surunner, and install everything else using SuRun.

    I don't *think* there would be any permissions issues there but I'm not sure. Worst comes to worst I guess I could throw an anti-executable into the mix (probably Trust-No-Exe, assuming there are no grave bugs in it). That would be kind of overkill, but very effective I'd think.
Thread Status:
Not open for further replies.