Sacrebleu, non-admin Win8 MS accounts can install apps and open inbound firewall rule

Discussion in 'other security issues & news' started by lunarlander, Feb 1, 2014.

Thread Status:
Not open for further replies.
  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    I just discovered that a non-admin MS account on Windows 8.1 can install WinApps from the Store. And that app can open an inbound rule in the Windows Firewall.

    To duplicate my findings, create a hotmail account. Then in Windows 8.1 create a non-admin MS account using that hotmail acc just created. Then go to Windows Store and install Energetic Software Free Torrent. Windows 8.1 will not only install that app, but also create an inbound rule allowing traffic to that package.

    That app is now a server running on my machine, accepting attacks and all sorts of nastiness

    So I guess that MS is saying that admin accounts are now not required to install software and modify firewall rules.
     
    Last edited: Feb 1, 2014
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    So by saying "each Win app has to be installed per user" essentially means that all MS Account users can install any app they wish and destroy a pc's security without consulting IT. And a company has to suffer any productivity loss that games bring. MS sure trusts users A LOT.

    Guess I will be using this group policy key a lot:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts.
     
    Last edited: Feb 1, 2014
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Found it:

    Computer Configuration\Administrative Templates\Windows Components\Store\Store: turn off the store application

    Thanks
     
  6. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Wait a second, without access to the Store, then the built in default WinApps won't be able to get security updates. Can I have just one MS account with access to the Store update those apps for everyone ?

    Besides, turning off the store is not an option for Win 8.1 non-Pro version.
     
    Last edited: Feb 1, 2014
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    OK. Tested out the 2 reg files provided in above post. In the reg files, 2 registry keys are mentioned, the HKCU key is not found on my Win 8.1 Home edition. The HKLM key is good.

    I think for Win 8 non-Pro-edition admins, disabling the Store would be acceptable. And a standard user cannot use the reg file from the above site to re-enable the Store, so the ban on the Store is enforceable.

    Since the WinApps are stored in \Program Files\WindowsApps, and I couldn't find any related files in \users\accountName\AppData, I am guessing that having a single MS Account to do security updates for the built-in default WinApps will work.

    But I bet a lot of admins would think a Standard account MS account cannot install software.
     
    Last edited: Feb 1, 2014
  9. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I'm a tad confused by this. Because non-admins have always been able to install software for their own user accounts - that is, anywhere they have write access, like their own profile folders. It's just that they haven't been able to install software globally for all users, in places only admins can write, like Program Files. The fact that some software has been written so... ah... "traditionally" that it only works if it's installed globally and will crash and burn if someone attempts to install it in a non-admin account has maybe created some confusion in people about non-admin accounts and their ability to install software. To prevent installing software, stuff like Software Restriction Policies are the traditional tool, non-admin accounts aren't enough (unless you're just trying to stop global installs and don't mind if users install stuff in their own accounts, in which case non-admin accounts are just peachy).

    Same goes for the firewall rule business - if your firewall gives non-admin users rights to change its settings, then it's fair game. In case of a corporate environment, though, there really should be some sort of hardware firewall perimeter.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Opening a non-restricted port (1024 thingie and above) can be done by any user. The bind system call is restricted to admin only to privileged ports, and since the windows net stack is based on bsd, then it's the same thing.

    You install a torrent app - and then you wonder about the port?

    Mrk
     
  11. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Points well taken. It is true that a user can install apps into non-standard places. Like how Google Chrome installs to Users\...\AppData.

    And yes, only ports below 1024 need admin privileges. But I am used to Windows needing admin rights to open the Windows Firewall with Advanced Security app. So I think nobody can touch firewall rules except administrators.

    If I am the PC's admin and I didnt open the port nor install the Torrent program, I would justifiably be worried. And who would have to fix things when the PC gets pwned - the admin.

    Also, I don't think Windows 8.1 offers a standard central place to uninstall Win Apps like "Programs and Features". I may be wrong yet again. I want control and mo' control.
     
    Last edited: Feb 3, 2014
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    yes I wrote that site.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  15. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Thanks for the links and the thumbs-up. I'll go investigate.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).
     
Loading...
Thread Status:
Not open for further replies.