Plan now to eliminate "power users" from your domains

I've seen some conversations lately about the Power Users group -- how powerful is it, really, and why did we remove the group from Windows Vista?

That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed installer that allows standard users to install packages signed by a trusted root. (The "Trusted Installer" is a service that has a SID, so you'll see it in the permissions list on various objects throughout the operating system.) The installer validates the signature chain, then elevates itself to perform the actual installation. Now, standard users can install and update approved software without having to grant membership in the too-powerful Power Users group.

We deprecated the Power Users group and removed it wherever we detected it on ACLs. We recommend that you do the same.

More details in these blog postings:

• Power Users are Admins who have not made themselves Admin yet, by Jesper Johannson
• The power in Power Users, by Mark Russinovich

Comments

• Anonymous
  January 01, 2003
  PingBack from http://blog.wisefaq.com/?p=299