Win7 - anyone know why MS removed this group policy setting ?

Discussion in 'other security issues & news' started by Defenestration, Apr 16, 2010.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I've been playing around with SuRun where there is an option to set default owner for objects created by Admins to Administrators group, rather than object creator (ie. the admin user) this during install. After a bit of research, it appears MS have removed this group policy setting, although it can be enabled again:

    http://support.microsoft.com/kb/947721


    I understand the obvious reasons for why setting default owner to Admin group could be useful (ie. user in Admin group is removed from Admin group, but then still has access to files created while admin), but am wondering if this is useful for someone running plain Win 7 x64 Ultimate, with SUA for most work, elevating to an admin account when needed, and AppLocker/SRP (ie. is it a good idea to set default owner for objects created by Admins to Administrators group, rather than object creator ?) ?
     
    Last edited: Apr 16, 2010
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx for a discussion of this setting. I would guess that by removing this setting (and having the Administrators group be the default owner for objects created by any member of the Administrators group) Microsoft has made it easier to demote an admin account to standard user without having security issues related to ownership.
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, the approach chosen in W7 has its own quirks as well, though more like on the opposite site than XP. :D
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This makes it tougher for programs (malware included) to modify/delete critical Windows files, which IMHO is a good thing :). This approach is used in Vista also.
     
Loading...
Thread Status:
Not open for further replies.