Sacrebleu, non-admin Win8 MS accounts can install apps and open inbound firewall rule

Hi,

I just discovered that a non-admin MS account on Windows 8.1 can install WinApps from the Store. And that app can open an inbound rule in the Windows Firewall.

To duplicate my findings, create a hotmail account. Then in Windows 8.1 create a non-admin MS account using that hotmail acc just created. Then go to Windows Store and install Energetic Software Free Torrent. Windows 8.1 will not only install that app, but also create an inbound rule allowing traffic to that package.

That app is now a server running on my machine, accepting attacks and all sorts of nastiness

So I guess that MS is saying that admin accounts are now not required to install software and modify firewall rules.

 

How to install a Windows Store app in Windows 8

 

So by saying "each Win app has to be installed per user" essentially means that all MS Account users can install any app they wish and destroy a pc's security without consulting IT. And a company has to suffer any productivity loss that games bring. MS sure trusts users A LOT.

Guess I will be using this group policy key a lot:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts.

 

Manage Client Access to the Windows Store

 

Found it:

Computer Configuration\Administrative Templates\Windows Components\Store\Store: turn off the store application

Thanks

 

Wait a second, without access to the Store, then the built in default WinApps won't be able to get security updates. Can I have just one MS account with access to the Store update those apps for everyone ?

Besides, turning off the store is not an option for Win 8.1 non-Pro version.

 

I'm not sure about your first paragraph. For your second paragraph, maybe this could help: http://www.eightforums.com/tutorials/5804-store-enable-disable-windows-8-a.html.

 

OK. Tested out the 2 reg files provided in above post. In the reg files, 2 registry keys are mentioned, the HKCU key is not found on my Win 8.1 Home edition. The HKLM key is good.

I think for Win 8 non-Pro-edition admins, disabling the Store would be acceptable. And a standard user cannot use the reg file from the above site to re-enable the Store, so the ban on the Store is enforceable.

Since the WinApps are stored in \Program Files\WindowsApps, and I couldn't find any related files in \users\accountName\AppData, I am guessing that having a single MS Account to do security updates for the built-in default WinApps will work.

But I bet a lot of admins would think a Standard account MS account cannot install software.

 

I'm a tad confused by this. Because non-admins have always been able to install software for their own user accounts - that is, anywhere they have write access, like their own profile folders. It's just that they haven't been able to install software globally for all users, in places only admins can write, like Program Files. The fact that some software has been written so... ah... "traditionally" that it only works if it's installed globally and will crash and burn if someone attempts to install it in a non-admin account has maybe created some confusion in people about non-admin accounts and their ability to install software. To prevent installing software, stuff like Software Restriction Policies are the traditional tool, non-admin accounts aren't enough (unless you're just trying to stop global installs and don't mind if users install stuff in their own accounts, in which case non-admin accounts are just peachy).

Same goes for the firewall rule business - if your firewall gives non-admin users rights to change its settings, then it's fair game. In case of a corporate environment, though, there really should be some sort of hardware firewall perimeter.

 

Opening a non-restricted port (1024 thingie and above) can be done by any user. The bind system call is restricted to admin only to privileged ports, and since the windows net stack is based on bsd, then it's the same thing.

You install a torrent app - and then you wonder about the port?

Mrk

 

Points well taken. It is true that a user can install apps into non-standard places. Like how Google Chrome installs to Users\...\AppData.

And yes, only ports below 1024 need admin privileges. But I am used to Windows needing admin rights to open the Windows Firewall with Advanced Security app. So I think nobody can touch firewall rules except administrators.

If I am the PC's admin and I didnt open the port nor install the Torrent program, I would justifiably be worried. And who would have to fix things when the PC gets pwned - the admin.

Also, I don't think Windows 8.1 offers a standard central place to uninstall Win Apps like "Programs and Features". I may be wrong yet again. I want control and mo' control.

 

@lunarlander: If it's ok to ask, are you the author of http://hardenwindows7forsecurity.com/?

 

yes I wrote that site.

 

Looks pretty comprehensive .

FYI: a Home user can use Software Restriction Policies using the program mentioned in https://www.wilderssecurity.com/showthread.php?t=359155.

Another free anti-executable is Tuersteher Light.

 

Thanks for the links and the thumbs-up. I'll go investigate.

 

You're welcome .