I am trying to lock down Windows 10 64-bit Education laptops that are handed out to teenager users that we don't exactly trust.
I use Secure Boot, I enable BitLocker using TPM 2.0, I disable USB booting and PXE booting. I remove the Recovery Environment, and I don't create the recovery partition, so they can't revert it back to the unconfigured OOBE state by triggering recovery mode.
I only want the end users to be able to write to the storage within their home directory in C:\Users
But by default Microsoft allows a bunch of security holes that allows programs and documents to be stored in locations outside the home directory, some of them hidden and deeply buried, and even without Local Administrator privileges.
,
The main one that I currently kill is the ability for "NT AUTHORITY\Authenticated Users" to create a folder in the root of C and then put whatever they want in there.
I do this in a task sequence to remove this vulnerability:
icacls.exe C:\ /C /L /remove:g "NT AUTHORITY\Authenticated Users"
,
However there are a bunch of additional user-writable holes in NTFS security and I have no idea why Microsoft allows non-Administrator users to do this.
There are various hacker resources available that document these NTFS security holes, for example this list of vulnerabilities for Windows 10 1803:
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
Some of these security holes appear to be closed in newer versions of Windows 10, but some of them still persist in 21H2.
,
For example:
Logon as a limited user, non-administrator, with UAC enabled (default)
Open a either a command prompt or powershell CLI.
mkdir "C:\Windows\SysWOW64\com\dmp\secretfolder"
Command succeeds, no errors.
echo Interesting > "C:\Windows\SysWOW64\com\dmp\secretfile.txt"
Command succeeds, no errors.
dir "C:\Windows\SysWOW64\com\dmp"
File not found. You cannot see "secretfolder" or "secretfile.txt" in here.
copy "C:\Windows\Web\Screen\img100.jpg" "C:\Windows\SysWOW64\com\dmp\secretfolder"
Command succeeds, no errors. Image copied to secretfolder.
explorer "C:\Windows\SysWOW64\com\dmp\secretfolder"
You can open your secret folder in Explorer, if you know the name of it, and you can copy any files in and out of it. Though you're not allowed to run programs from here.
You can't change directories to the parent. Access denied.
Nothing in here will show up in Windows search, even with Show Protected Files and Show Invisible files enabled.
,
WHY does Microsoft allow this non-Administrator hidden write access to deep inside "C:\Windows"?
Here is the default NTFS security that enables this (using Local Admin to see this):
icacls "C:\Windows\SysWOW64\com\dmp"
- BUILTIN\Administrators:(OI)(CI)(R,W,D,WDAC,WO,DC)
- CREATOR OWNER:(OI)(CI)(IO)(R,W,D,WDAC,WO,DC)
- NT AUTHORITY\SYSTEM:(OI)(CI)(R,W,D,WDAC,WO,DC)
- BUILTIN\Users:(CI)(S,WD,AD)
,
What is harmed if I run the following command as elevated Local Administrator or in a Task Sequence, to permanently remove this BUILTIN\Users access?
icacls.exe "C:\Windows\SysWOW64\com\dmp" /C /L /remove:g "BUILTIN\Users"
- processed file: C:\Windows\SysWOW64\com\dmp
- Successfully processed 1 files; Failed processing 0 files
icacls "C:\Windows\SysWOW64\com\dmp"
- BUILTIN\Administrators:(OI)(CI)(R,W,D,WDAC,WO,DC)
- CREATOR OWNER:(OI)(CI)(IO)(R,W,D,WDAC,WO,DC)
- NT AUTHORITY\SYSTEM:(OI)(CI)(R,W,D,WDAC,WO,DC)
"NT AUTHORITY\System" already has write access. Why should anything else unprivileged need or be allowed to write to here?
What is harmed if I also remove all the other User-writable and potentially hidden Windows 10 system directory paths like this?
,
Tested on Windows 10 Education 64-bit, version 21H2.