windows new users?

[cscw]

hi

After installing windows xp sp2, I found 2 new users appear in the "users"
account group. "NT Authority\Authenticated Users(S-1-5-11) and "NT
Authority\INTERACTIVE(S-1-5-4).

Are they suppose to be there(or have I encounter some viruses)? What are the
purposes?

Thanks for helping.

 

[John John - MVP]

Yes, don't remove them, if you do you won't be able to log on to the
machine. These security principals have been in existence since the
latter NT4 days.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the
operating system.

SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on
interactively. Membership is controlled by the operating system.

John

 

[John John - MVP]

Forgot to post link:

http://support.microsoft.com/KB/243330
Well-known security identifiers in Windows operating systems

John

 

[cscw]

Hi

Thanks for the respond. However, I need the answer to be specific. Which
programs/appplication did these users use? which users are from these 2
groups? If there are too many, just list a few examples.

Are this "authenticated users" and "interactive" users refering to other
security principal identifiers or those real users added by the
administrator? Are they really nessesary?

Can the microsoft windows experts(or best, some microsoft windows service
packs developers) help to advise me on this?

PS: I have encounter this problem on windows server 2003 sp2 too. I have
already deleted them away (b4 writing my 1st post)but didn't encounter any
problems logging in.

Thanks for the help.

:

 

[John John - MVP]

I can't be much more specific than that. Anyone who logs on locally is
automatically a member of the the interactive group, remove this account
and no one will be able to logon locally.

Anyone who logs on to a domain controller (except guests) is
automatically a member of the the interactive group, remove this account
and no one will be able to logon to the domain.

I'm not 100% whether or not the Authenticated group is in play for local
logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!

John

 

[John John - MVP]

More information here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q143474
Restricting information available to anonymous logon users

and:

By default, the Authenticated Users group and the Interactive Users
group are added to the Users group on Windows Server 2003 computers.
Membership in the Authenticated Users and Interactive groups is
automatically controlled by the operating system. The Authenticated
Users group is the same as the Everyone group except it does not contain
anonymous users. The Interactive Users group has the “Log on locallyâ€
user right. It includes anyone who is locally logged on to the server,
rather than connected over the network. A member of the Interactive
Users group, whose credentials are trusted, can log on to the server
interactively.

[end quote]

http://tinyurl.com/l5m8bv

John

 

[cscw]

hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John

Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.

 

[John John - MVP]

Sooner or later you *will* have problems with your Server 2003
installation if you remove these groups, you will have problems with
many of your server tools if the Authenticated Users group is not
present. With the ever increasing push to secure and lock down machines
those without the Authenticated Users group will hit into a brick wall!
On Vista and Server 2008 removing the Authenticated users may prevent
Explorer.exe from starting. On Windows XP some remote services will not
work, for example you will not be able to receive remote assistance if
you remove the Authenticated Users group. This Authenticated Users
group was created to plug security holes with the Null Sessions, see
here for more explanations:

http://www.microsoft.com/msj/0299/security/security0299.aspx
Security Briefs Q&A, MSJ February 1999

John

hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John

Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.

 

[cscw]

Hi

Thanks John. However, the 2 accounts that I mentioned abv is some username
and not a group. It appear as a username and not a group although it is named
"userS" in the account name and they are security principal identifier
accounts..

Is there a possibly that it is a bugs or virusby by coincident(cos the
account is named "nt authority(some domain)\"username"(realusers\security
principal)?

Does everyone else here have these 2 username accounts in windows xp/windows
server 2003 sp2 and abv?

Can the experts here advise me SPECIFICALLY on where are they used for?

Thanks for the help.

Sooner or later you *will* have problems with your Server 2003
installation if you remove these groups, you will have problems with
many of your server tools if the Authenticated Users group is not
present. With the ever increasing push to secure and lock down machines
those without the Authenticated Users group will hit into a brick wall!
On Vista and Server 2008 removing the Authenticated users may prevent
Explorer.exe from starting. On Windows XP some remote services will not
work, for example you will not be able to receive remote assistance if
you remove the Authenticated Users group. This Authenticated Users
group was created to plug security holes with the Null Sessions, see
here for more explanations:

http://www.microsoft.com/msj/0299/security/security0299.aspx
Security Briefs Q&A, MSJ February 1999

John

hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John

Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.

 

[John John - MVP]

Sorry, my mistake, they are members of the "Users" group. But the
information is still the same, if you remove these users you will run
into problems sooner or later. These accounts are on all my XP
machines, they're not a result of virus activity. This is the output of
the 'net localgroup users' command on my machine:

Alias name users
Comment Users are prevented from making accidental or intentional
system-wide changes. Thus, Users can run certified applications, but
not most legacy applications

Members

-------------------------------------------------------------------------------
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.

John

Hi

Thanks John. However, the 2 accounts that I mentioned abv is some username
and not a group. It appear as a username and not a group although it is named
"userS" in the account name and they are security principal identifier
accounts..

Is there a possibly that it is a bugs or virusby by coincident(cos the
account is named "nt authority(some domain)\"username"(realusers\security
principal)?

Does everyone else here have these 2 username accounts in windows xp/windows
server 2003 sp2 and abv?

Can the experts here advise me SPECIFICALLY on where are they used for?

Thanks for the help.

Sooner or later you *will* have problems with your Server 2003
installation if you remove these groups, you will have problems with
many of your server tools if the Authenticated Users group is not
present. With the ever increasing push to secure and lock down machines
those without the Authenticated Users group will hit into a brick wall!
On Vista and Server 2008 removing the Authenticated users may prevent
Explorer.exe from starting. On Windows XP some remote services will not
work, for example you will not be able to receive remote assistance if
you remove the Authenticated Users group. This Authenticated Users
group was created to plug security holes with the Null Sessions, see
here for more explanations:

http://www.microsoft.com/msj/0299/security/security0299.aspx
Security Briefs Q&A, MSJ February 1999

John

hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John
Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.

 

[tech guy]

To add on my last post, I think you r wrong, john. remote assistance doesn't
used these 2 account to work/login. This feature only request assistance but
doesn't use any accounts at all. To login and fulfill the remote assistance ,
the users use their real accounts themselves(approved, authorised and then
configured, which is under the "remote desktop" group account) to login.

The only thing that you mention right is these 2 security identify ONLY use
winlogon.exe process to login to system, and this is discourage because it
will allow the account creater or anyone who know the password of these 2
accounts to logon, which may resultant to unauthoried system login(A big
security problem).

Unless you or some other windows experts(best if some microsoft windows
programmer can help)can tell me SPECIFICALLY some RREEAAAAALLLLLY SPECIAL
reason(s), most likely I would think it as a big security issue and delete
these useless accounts away right after after the system is installed and
advise everyone else to do the same thing as me.

Sooner or later you *will* have problems with your Server 2003
installation if you remove these groups, you will have problems with
many of your server tools if the Authenticated Users group is not
present. With the ever increasing push to secure and lock down machines
those without the Authenticated Users group will hit into a brick wall!
On Vista and Server 2008 removing the Authenticated users may prevent
Explorer.exe from starting. On Windows XP some remote services will not
work, for example you will not be able to receive remote assistance if
you remove the Authenticated Users group. This Authenticated Users
group was created to plug security holes with the Null Sessions, see
here for more explanations:

http://www.microsoft.com/msj/0299/security/security0299.aspx
Security Briefs Q&A, MSJ February 1999

John

hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John

Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.

 

[tech guy]

of course they are there if you executed the command because those 2
accounts are still there in your system.

For me, I going to delete them away unless some windows programmer or real
experts can SPECIFICALLY some RREEAAAAALLLLLY SPECIAL
reason(s)(which most likely I don't think it will have becuase they ONLY
THING they do is to allow someone who know the password of the accounts, or
the creator, to login to the system), most likely I would think it as a big
security issue and advise everyone else to delete them away.

Sorry, my mistake, they are members of the "Users" group. But the
information is still the same, if you remove these users you will run
into problems sooner or later. These accounts are on all my XP
machines, they're not a result of virus activity. This is the output of
the 'net localgroup users' command on my machine:

Alias name users
Comment Users are prevented from making accidental or intentional
system-wide changes. Thus, Users can run certified applications, but
not most legacy applications

Members

-------------------------------------------------------------------------------
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.

John

Hi

Thanks John. However, the 2 accounts that I mentioned abv is some username
and not a group. It appear as a username and not a group although it is named
"userS" in the account name and they are security principal identifier
accounts..

Is there a possibly that it is a bugs or virusby by coincident(cos the
account is named "nt authority(some domain)\"username"(realusers\security
principal)?

Does everyone else here have these 2 username accounts in windows xp/windows
server 2003 sp2 and abv?

Can the experts here advise me SPECIFICALLY on where are they used for?

Thanks for the help.

Sooner or later you *will* have problems with your Server 2003
installation if you remove these groups, you will have problems with
many of your server tools if the Authenticated Users group is not
present. With the ever increasing push to secure and lock down machines
those without the Authenticated Users group will hit into a brick wall!
On Vista and Server 2008 removing the Authenticated users may prevent
Explorer.exe from starting. On Windows XP some remote services will not
work, for example you will not be able to receive remote assistance if
you remove the Authenticated Users group. This Authenticated Users
group was created to plug security holes with the Null Sessions, see
here for more explanations:

http://www.microsoft.com/msj/0299/security/security0299.aspx
Security Briefs Q&A, MSJ February 1999

John

cscw wrote:
hi

The Authenticated Users group is the same as the Everyone group except it >does not contain anonymous users.
[end quote]

http://tinyurl.com/l5m8bv

John
Are you sure? I want to know WHY microsoft is configuring that that 2 type
of users(which look a group since it is named as "authenticated
users"/"interactive" but is actually just some security principal USER) to
login to the system?

From your answers abv, Isn't it a big security bug(because those are
actually "everyone") if your explaination is true?

logons. Which applications do users use that requires users to be
members of these security principals? If you aren't a member of these
groups you cannot use Winlogon.exe and you cannot logon to the computer!
[end quote]

From your answer abv, after they use winlogon.exe to login, which
application are they trying to use? WHY microsoft are MAKING them to logon BY
DEFAULT?? isn't that a SECURITY BUG because microsoft some "unauthorised
users" to logon by default??

PS: I have already told you that all real users accounts still can login
even these 2 accounts are deleted away.

Can some windows experts help to advise?

Thanks for the help.