Is every user a member of Users?

[Les Desser]

After trying to secure a stand alone PC I have come to the conclusion
that a user that is not a member of group Users, is nevertheless
implicitly part of that group.

Am I correct?

 

[Steven L Umbach]

Yes. Anyone who logs on locally for instance is a member of the
authenticated users group which is a member of the users group. Use the "
net localgroup users " to see that and use the gpresult support tool to see
all the groups that a user is a member of. Always be extremely carefully
when configuring deny user rights when adding the users or everyone groups.
Exactly what are you trying to secure? --- Steve

 

[Roger Abell]

The membership in the Users group is only exactly what
is shown when you view it.
Now, in a default scenario you will see that Interactive
and Authenticated Users are nested within Users.
Due to these any account that logs in locally or any account
that is authenticated (respectively) will become a Users
member during that login/usage.
These groups do not have to be nested within Users, but
when removed one does need to understand what they have
been enabling so that the parts of that which are needed can
be provided.

 

[Les Desser]

Yes. Anyone who logs on locally for instance is a member of the
authenticated users group which is a member of the users group. Use the
" net localgroup users " to see that and use the gpresult support tool
to see all the groups that a user is a member of.

At least that makes a bit more sense - see below

Always be extremely carefully when configuring deny user rights when
adding the users or everyone groups. Exactly what are you trying to
secure?

I was trying to secure a stand alone W2K Pro PC so that a guest could
browse the web and play some mp3 files but nothing else.

I created a Visitors group and a Visitor user to be its member (rather
then using Gusts/Guest) and Visitor was not a member of Users and
nevertheless Visitor could go anywhere until I removed all permissions
for Users.

I cannot understand having such a security model where Users/User exist
and are granted permissions by default, but if membership of Users is
removed from a user it is STILL a member of Users.

If Users is something special then it should not be possible to assign a
user explicitly to the Users group - something that is done all over the
place by default.

You live and learn - thanks for the quick response. I see bringing
knowledge of a security model from elsewhere to Windows may be
dangerous.

I will pass your response on grc.techtalk where I have come from to get
this sorted.

Thanks again.

 

[Steven L Umbach]

The fact that a user can not be removed from the user group is probably to
prevent denial of service attacks against the operating system similar in a
way that the built in administrator account can not be removed from the
local administrators group.

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy to restrict the
user. It is more difficult to use Group Policy to lockdown a user/group on a
stand alone computer though as by default Group Policy applies to all local
users though there are hacks that can change the to exempt local users from
Group Policy. For instance you may be able to use Local Group Policy -
gpedit.msc and restrict the user via user configuration/administrative
tools/system where you can configure the setting for allowed Windows
applications. If left blank the user will only be able to logon to the
operating system and nothing else until you populate the allowed application
list which may be harder than expected as some applications depend on other
executables to run though filemon from SysInternals would be very helpful in
sorting that out. The guest account in Windows 2000 also will not save the
guest user profile when the guest logs off. --- Steve

http://www.jsiinc.com/sube/tip2400/rh2492.htm -- filtering local Group
Policy.

 

[Herb Martin]

The fact that a user can not be removed from the user group is probably to
prevent denial of service attacks against the operating system similar in a
way that the built in administrator account can not be removed from the
local administrators group.

Actually not all user are members of the Users group
and this is NOT a "special group" so any user not
a member of the group is not added dynamically.

Such groups include Everyone, Authenticated Users,
Interactive etc.

As Roger says, what you see is what you get EXCEPT
if one of these automatic (or a Global) group is a member
in which case you get all the (current) members of the
included group(s).

User's are added to Users automatically on creation
BY DEFAULT but it can be avoided with certain tools.

For instance the IIS anonymous group is added to Guests
instead.

You cannot remove someone from Users unless you first
get their "default group"(which is mostly for Macintosh
support) change to another group so this also means that
users must be a member of at least one group.

 

[Roger Abell]

in

Actually not all user are members of the Users group
and this is NOT a "special group" so any user not
a member of the group is not added dynamically.

Such groups include Everyone, Authenticated Users,
Interactive etc.

As Roger says, what you see is what you get EXCEPT
if one of these automatic (or a Global) group is a member
in which case you get all the (current) members of the
included group(s).

User's are added to Users automatically on creation
BY DEFAULT but it can be avoided with certain tools.

For instance the IIS anonymous group is added to Guests
instead.

You cannot remove someone from Users unless you first
get their "default group"(which is mostly for Macintosh
support) change to another group so this also means that
users must be a member of at least one group.

. . . for which purpose I sometimes define a Dummy group
that is not used anywhere, except to have accounts' Primary
Group set to Dummy so that they may be removed from their
default (at creation) Primay Group.

Generally I have found that if an account is to be used for
local logon (whether with keyboard or just by logon type)
then that account needs to be in Users (hence INTERACTIVE
being in Users is useful). However, the same does not hold
if the account is only going to make use of network logins.

 

[Les Desser]

The membership in the Users group is only exactly what is shown when
you view it. Now, in a default scenario you will see that Interactive
and Authenticated Users are nested within Users.

Please do you have any pointers as to where I can see this on the system
or at least read about it.

Due to these any account that logs in locally or any account that is
authenticated (respectively) will become a Users member during that
login/usage. These groups do not have to be nested within Users, but
when removed one does need to understand what they have been enabling
so that the parts of that which are needed can be provided.

More reading - groan!

I am just a starter on the Windows security front, but as I see it:-

Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
it should not be possible to assign anyone to this group. What strange
mind thought up a structure that allows me to remove membership of a
user from a specific group, but the user still remains (in 99.99% of the
time) a member via a hidden route.

Also, why does Windows put every newly created user explicitly into the
Users group? - and thereby totally confuse poor punters like me.

 

[Les Desser]

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy

...[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

I have removed Users from all security permissions for all
drives/folders and have created my own group to allow a fine level of
control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow
users to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.

 

[Herb Martin]

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy

..[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

I have removed Users from all security permissions for all
drives/folders and have created my own group to allow a fine level of
control.

That's [the principle of giving correct permissions
rather than just defaults] is a really good practice but
few do it, and it can be frustrated by tools like Frontpage
will takes (has traditionally taken?) a very simplistic
attitude to setting the permissions on a web server.

Another good move is to substitute such groups for
most references to Everyone , or at least get
Authenticated Users substituted for it.

Securing Program Files and WINNT[1] took a bit of fiddling to allow
users to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.

[/QUOTE]

 

[Herb Martin]

If you look at a Group with the Users and Groups tools
(Computer Manager) or AD Users/Computer or any
of the common line tools then "what you see if what
you get" as long as you FOLLOW any references to
other groups.

E.g., if GroupA includes GroupB, then the members
of GroupB are effectively members of GroupA.

 

[Steven L Umbach]

That can also work well using a different approach to the same strategy,
particularly on non system folders. I don't like fiddling with permissions
in the \winnt folder without a lot of testing and generally do not recommend
it. However I have not had problems with adding "authenticated users" to
system folder and then removing users and everyone [which NSA security guide
also recommends]. The IIS lockdown tool is interesting in that it will
create a new group and give that group deny permissions to many binaries in
the system folder and other folders on the computer. You can then add a user
to that folder to make sure they do not have access to those binaries [ping,
arp, attrib, etc]. The biggest problems usually arise with deny permissions
in that unintended users, such as administrators, also end up being
affected. Many also seem to forget that not having permissions is an
implicit deny. It is a good idea to take an image of a computer before doing
major changes to permissions. It takes me about 5 minutes to restore a 5 gig
partition from a Ghost image so that I can start over. If you want a good
book on configuring Windows security the Microsoft Windows Security Resource
Kit is a good read and you can buy one from one of the used book vendors on
Amazon for less than ten dollars. I buy a lot of books that way. Many are
books with a bent corner or such that can not be sold as new. For a non
Microsoft perspective the Hacking Exposed Windows 2003 is worth a read. ---
Steve

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy

..[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested in
learning about security issues)

I have removed Users from all security permissions for all drives/folders
and have created my own group to allow a fine level of control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow users
to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.

 

[Herb Martin]

Along this line is a relatively advance technique where
a group is created (e.g., DenyModify) and everyone who
normally has Change permissions is added, e.g., for the
System32 folder this might be applied to ever EXE, DLL,
SYS, Drv, etc (exectuable) and contain the administrators
& even System so that on a "normal day" even admins
cannot update these files.

During upgrades -- one removes the admins or system
and then restores the group afterwards (the permissions
technically stay in effect the whole time on the files but
by logging on and off the admins effective permissions
change.)

Now, it might be the case that some virus, trojan, or
cracker might be able to work through this roadblock,
the practical effect is that practically none of them
will (be able to) do so.

--
Herb Martin

That can also work well using a different approach to the same strategy,
particularly on non system folders. I don't like fiddling with permissions
in the \winnt folder without a lot of testing and generally do not recommend
it. However I have not had problems with adding "authenticated users" to
system folder and then removing users and everyone [which NSA security guide
also recommends]. The IIS lockdown tool is interesting in that it will
create a new group and give that group deny permissions to many binaries in
the system folder and other folders on the computer. You can then add a user
to that folder to make sure they do not have access to those binaries [ping,
arp, attrib, etc]. The biggest problems usually arise with deny permissions
in that unintended users, such as administrators, also end up being
affected. Many also seem to forget that not having permissions is an
implicit deny. It is a good idea to take an image of a computer before doing
major changes to permissions. It takes me about 5 minutes to restore a 5 gig
partition from a Ghost image so that I can start over. If you want a good
book on configuring Windows security the Microsoft Windows Security Resource
Kit is a good read and you can buy one from one of the used book vendors on
Amazon for less than ten dollars. I buy a lot of books that way. Many are
books with a bent corner or such that can not be sold as new. For a non
Microsoft perspective the Hacking Exposed Windows 2003 is worth a read. ---
Steve

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy

..[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested in
learning about security issues)

I have removed Users from all security permissions for all drives/folders
and have created my own group to allow a fine level of control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow users
to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.

 

[Les Desser]

E.g., if GroupA includes GroupB, then the members of GroupB are
effectively members of GroupA.

I vote that groups should not be able to include other groups

I did write that rather tongue-in-cheek and from a standpoint of someone
who is a starter in the area of Windows security, but on further
reflection it has merit. There is a lot to be said for transparency and
once you embed groups within groups one starts to lose the picture
rather fast.

 

[Les Desser]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

Seems like I have done something

As well as the Visitor user, I have created a standard user who is not a
member of Administrators.

When using that profile (as well as Visitors) I can no longer open .jpg
files. MS Photo Editor opens but then gives the error
"No file format information can be found in the Registry".

If I add that user to Administrators then it works - so it must be some
authority problem.

Thanks in anticipation.

 

[Herb Martin]

I vote that groups should not be able to include other groups

Then you will hate NATIVE mode where they can be
arbitrarily nested, e.g., Global in Global ... in Universal
in Universal ... in Local ....

I did write that rather tongue-in-cheek and from a standpoint of someone
who is a starter in the area of Windows security, but on further
reflection it has merit.

It is a practical necessity for large domains, but make
managing even a few hundred users much easier if
you design the structure well.

There is a lot to be said for transparency and
once you embed groups within groups one starts to lose the picture
rather fast.

This probably stems from not setting up the groups
to follow a well-thought out picture -- design -- to
start.

Local groups REALLY represent "a collection of
resources/permissions and/or set of rights for doing
some job" while Global groups really should be
the ones that represent "a bunch of users who should
be given some privelege the same way."

None fo the books tell you that -- most authors
(and therefore admins) continue to think of Local
groups are primarily representing USERS instead
of a set of resources.

 

[Roger Abell]

I can see the point of view, but in larger environments
seeing that a groupX is composed of groupA, groupB,
and groupC, whereas groupY is composed of groupA
and groupD only is highly useful, where groupA, B, C,
D, etc. are fundemental categories of accounts, such as
by roles that they hold in the corp (or family).
The alternative, just seeing a long list of users in
groupX and groupY is error prone.

 

[Roger Abell]

lusrmgr.msc run at a cmd prompt (as you refer to
c:\winnt should I assume this is Windows 2000?)
lets you see the group structure in all existing detail.

Originally Users only held accounts. Later MS invented
Interactive and Authenticated Users and nested these
within. This was as much as anything a response to the
fact that the OS had grown in ways such that if an account
was not a member of Users then things would fail in an
interactive login. It is not just the NTFS permissions in
the system folders, but also a matter of permissions on the
COM components and registry keys, where some grants are
to the Users group.

I think historically the intent was to have Guests, Users,
and Administrators with these three being allowed a tiered
increase in capability. However, thing were IMO not kept
fully clean, and for all practical purposes the distinction
between Guest and any Users member began lost and also
impossible for interactive login. In large part this was a
response to MS observing the common (and reasonable)
practice of removing the default grants to Everyone (which
used to allow Guest to function interactively).

By the way, although it looks like a group in the icon used,
System is best thought of not as a group but as an account.
I think it is treaded as a group because in a stand-alone install
the Local System account (which is used to fire up most of the
core components/services of the OS) is System, but once the
machine is joined to a domain then the domain\Machine$
account also is System.

Aside from accounts and normal groups, you will find some
"group-like" predefined principals used (Interactive, Network,
Authenticated Users, Creator Owner, etc.) whose membership
you cannot adjust. These are like place-holders which get
substitiuted with the "then current" account if the criteria of
the place being held are satisfied. If I have logged in as UserX
at the keyboard, then UserX actually appears in the security
access checks where Interactive is seen when viewing the
definitions, etc..

 

[Roger Abell]

Securing Program Files and WINNT[1] took a bit of fiddling to allow

users to run applications.

Les, you will have also noticed that many of the individual files
have their NTFS permissions explicitly set also.

Let us know what OS version you are using, as things have changed
some between them, and we can refer you to the master file that is
used to set the install default permissions on these folders and files.
The template is actually just a plain text file, and one can do a global
replace on it to change the two characters representing "Users" with
the SID of the custom group - meaning one can come up with a template
that set security so that Users is not used but the custom group has the
settings instead. One can edit the template and then remove the
custom group from the items desired.

I do not really advocate doing this as a standard practice, and there
are so very many (and ill-documented) dependencies; but, the template
does provide for quick reproducability and so facilitate experimentation
especially if combined with something like VMware or VirtualPC where
you just make a copy of the base OS filetree, boot it, fool around, and
delete the copy when done if things are not liked or disasterous.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy

..[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

I have removed Users from all security permissions for all
drives/folders and have created my own group to allow a fine level of
control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow
users to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.

 

[Les Desser]

Les, you will have also noticed that many of the individual files have
their NTFS permissions explicitly set also.

Let us know what OS version you are using

W2K SP4

, as things have changed some between them, and we can refer you to the
master file that is used to set the install default permissions on
these folders and files.

Thanks