You know how to set up Windows 2000 and XP workstations so that users must log on with passwords and they can't administer other users or your network. It's easy, right?
Wrong. The basic design of the Win32 architecture, going back to 1993, has enough built-in weaknesses to allow anyone with guest privileges to gain full admin rights.
The problem, in a nutshell, is that Windows allows applications to give themselves higher privileges than the current user of the PC enjoys. These are known as "interactive services." If a user gets such an app to run a command that requires system privileges, well, hello, new admin.
Microsoft has long advised outside companies not to take advantage of interactive services. But Windows undoubtedly includes such capabilities because Microsoft Corp. developers wanted them.
An example is the Still Image Service, a Windows 2000 program that runs automatically when you plug in a scanner, camera, or similar device.
In September 2000, Microsoft acknowledged that an ordinary user of a Windows 2000 machine could use this service "to assume any desired level of privilege." The resulting admin rights might not be limited to the hacked PC. As Microsoft said at the time, "It's unlikely, but not impossible, that the malicious user could extend control to the rest of the network" (see http://www.microsoft.com/technet/security/bulletin/MS00-065.asp).
Microsoft eliminated its program's problem in Windows 2000 Service Pack 2. But now it turns out that you're at risk in a lot of other ways.
Chris Paget, a consultant who goes by the handle Foon, has published a paper showing that numerous apps allow users to gain admin privileges. For example, with fairly simple utilities, he can use Network Associates' VirusScan 4.5.1 to grab system rights. (His paper is making waves because pros disagree on how far the hole goes. Please read http://online.securityfocus.com/archive/1/286185/2002-08-25/2002-08-31/1.)VirusScan spokesman Ryan McGee says, "This flaw could be exploited to cause serious damage, so we have to take it seriously, and we do."
Many apps allow this instant-admin trick, even by remote access. "Clearly this is a serious design flaw in Windows that violates basic security principles," says privacy expert Richard Smith, the proprietor of ComputerBytesMan.com. "It seems any corporation with Windows NT/2K/XP boxes set up with multiple users needs to be concerned."
In the future, Microsoft could stop ordinary users from communicating with processes that have high privileges. But this would hose so many apps that it apparently won't be done.
Microsoft's director of security assurance, Steve Lipman, says, "We are aggressively addressing this issue." If the problem can be patched without breaking apps, he said, Microsoft will do it. But, he added, "If this is strictly a matter of third parties using the API in a way that is counter to our recommendations, and there was nothing we could do, we'd call it a day and walk away."