Solved Serious bug in win7

[100126439]

thank you for all guys helping
i've make it through.

but its wired,
i do a test in win7 32bit that
no matter what i set a file/folder Full Control deny on Administrators Group or Administrator even SYSTEM account
using Administrator account
i still can take the permission back just uncheck the deny box without any access deny.

and i find out one more thing,
the Allow permission Administrators Group, Administrator and SYSTEM account in the testing 32bitwin7
are grey, that mean can't not remove the allow premission ,you only can add deny premission.
its same as my computer before i get the permission back.
but now i can delete the Allow permission.

 

[lehnerus2000]

Inherited Permissions

I think that "greyed out" permissions, actually indicate that the permissions are "Inherited" from a higher level.



Notice that:

• The SYSTEM permissions on E:\ are black.
• The SYSTEM permissions on E:\Games-w7 are grey (Inherited). #

This window confirms that the permissions are "Inherited".

Additional
# The forum auto-complete keeps changing my path name.

 

[Barman58]

The NTFS permissions are set and imposed by the operating system and they are limited to that operating system in that physical system only.

<Snip>

So it is possible to gain access to this hard disk even if it is assigned with deny permissions to Administrators group (This group is limited to that system only), by the following three methods.

1. Remove the HDD from the system and connect it to another system with Windows (XP, Vista or 7) and take ownership and reassign permissions to include full control to Everyone group only deleting all the other permissions.

2. Make the system a dual boot system and access the HDD from second Windows OS (XP, Vista or 7) and take ownership and reassign permissions to include full control to Everyone group deleting all the other permissions.

<Snip>

Not sure if this is actually true for a specific applied Deny on the administrators group as this is always the same SID

SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group

[Source]

This information applies up to and including Vista but have nor been able to confirm if win7 is different

It could work out that a new OS would still see the Deny against the files for SID S-1-5-32-544 or the install would somehow override this, (a new installation would certainly not reset any permissions on other than the system drive)

Looks like I have a project to check this out when I have a suitable system to break

 

[rraod]

Nigel,

With respect to your explanation, the role of the server is changing by adding it to the domain, or this server becoming a domain controller, the various Administrator groups are added to the original system. I agree with you.

But in my explanation I was talking about connecting the harddisk to another operating system, and not accessing this system through network. A locked hard disk with Deny permissions will prevent someone to access it while it is in the original host. But once you take it out of the host and connect it to a guest system, the security will not be bulletproof.

This is what I believe. Because the NTFS permissions are reversible once you take out the hard disk from host and connect it to a guest. All you have to do is take ownership and assume full control. They are not like encryption. Once you encrypt something and lost the key, you loose the entire thing for good. With adverse NTFS permissions you will not loose the files for good.

So please do your experimentation ASAP and give us the results. All you need is a dual boot system (preferably with two windows 7 OS's) and a separate HDD for testing. Give deny permissions to Administrators group from one windows 7 and try to remove that Deny permissions from other windows 7 OS and access the files. May be I will learn something new from this experiment.

 

[Barman58]

I will have to see if I can break out some bits (a lot of stuff is in boxes at the moment)

I can see the issue arising because on every new system, even stand alone, the Administrators group is always the same SID [S-1-5-32-544] which is what allows you to access old data, (with permissions for a now obsolete user).

As the system would see that the files are explicitly denied for SID S-1-5-32-544,which is the current administrators group, it should respect this. The other issue is that TakeOwn is one of the permissions affected by a Deny all, so that route may be blocked.

It's certainly got me thinking

It should be possible to enable the win7 hidden administrator from the PE and use this to take ownnership and remove the block