Closing NTFS security holes in Windows 10?

Question

I am trying to lock down Windows 10 64-bit Education laptops that are handed out to teenager users that we don't exactly trust.

I use Secure Boot, I enable BitLocker using TPM 2.0, I disable USB booting and PXE booting. I remove the Recovery Environment, and I don't create the recovery partition, so they can't revert it back to the unconfigured OOBE state by triggering recovery mode.

I only want the end users to be able to write to the storage within their home directory in C:\Users

But by default Microsoft allows a bunch of security holes that allows programs and documents to be stored in locations outside the home directory, some of them hidden and deeply buried, and even without Local Administrator privileges.

,

The main one that I currently kill is the ability for "NT AUTHORITY\Authenticated Users" to create a folder in the root of C and then put whatever they want in there.

I do this in a task sequence to remove this vulnerability:
icacls.exe C:\ /C /L /remove:g "NT AUTHORITY\Authenticated Users"

,

However there are a bunch of additional user-writable holes in NTFS security and I have no idea why Microsoft allows non-Administrator users to do this.

There are various hacker resources available that document these NTFS security holes, for example this list of vulnerabilities for Windows 10 1803:

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

Some of these security holes appear to be closed in newer versions of Windows 10, but some of them still persist in 21H2.

,

For example:

Logon as a limited user, non-administrator, with UAC enabled (default)

Open a either a command prompt or powershell CLI.

mkdir "C:\Windows\SysWOW64\com\dmp\secretfolder"

Command succeeds, no errors.

echo Interesting > "C:\Windows\SysWOW64\com\dmp\secretfile.txt"

Command succeeds, no errors.

dir "C:\Windows\SysWOW64\com\dmp"

File not found. You cannot see "secretfolder" or "secretfile.txt" in here.

copy "C:\Windows\Web\Screen\img100.jpg" "C:\Windows\SysWOW64\com\dmp\secretfolder"

Command succeeds, no errors. Image copied to secretfolder.

explorer "C:\Windows\SysWOW64\com\dmp\secretfolder"

You can open your secret folder in Explorer, if you know the name of it, and you can copy any files in and out of it. Though you're not allowed to run programs from here.

You can't change directories to the parent. Access denied.

Nothing in here will show up in Windows search, even with Show Protected Files and Show Invisible files enabled.

,

WHY does Microsoft allow this non-Administrator hidden write access to deep inside "C:\Windows"?

Here is the default NTFS security that enables this (using Local Admin to see this):
icacls "C:\Windows\SysWOW64\com\dmp"

• BUILTIN\Administrators:(OI)(CI)(R,W,D,WDAC,WO,DC)
• CREATOR OWNER:(OI)(CI)(IO)(R,W,D,WDAC,WO,DC)
• NT AUTHORITY\SYSTEM:(OI)(CI)(R,W,D,WDAC,WO,DC)
• BUILTIN\Users:(CI)(S,WD,AD)

,

What is harmed if I run the following command as elevated Local Administrator or in a Task Sequence, to permanently remove this BUILTIN\Users access?

icacls.exe "C:\Windows\SysWOW64\com\dmp" /C /L /remove:g "BUILTIN\Users"

• processed file: C:\Windows\SysWOW64\com\dmp
• Successfully processed 1 files; Failed processing 0 files

icacls "C:\Windows\SysWOW64\com\dmp"

• BUILTIN\Administrators:(OI)(CI)(R,W,D,WDAC,WO,DC)
• CREATOR OWNER:(OI)(CI)(IO)(R,W,D,WDAC,WO,DC)
• NT AUTHORITY\SYSTEM:(OI)(CI)(R,W,D,WDAC,WO,DC)

"NT AUTHORITY\System" already has write access. Why should anything else unprivileged need or be allowed to write to here?

What is harmed if I also remove all the other User-writable and potentially hidden Windows 10 system directory paths like this?

,

Tested on Windows 10 Education 64-bit, version 21H2.

Answer 1

Hi.

I administer applocker in out company and yes, there are many user-writable dirs where one wouldn't expect it.
"What is harmed" - no one knows. MS does not document why it gives permissions there, and frankly, they often don't know what they are doing, just remember when they made the common auto start folder writable for everyone who upgraded to Win10 1607...

In "security tight" environments, you don't let users share computers. So if user A somehow manages to become admin on Box X, he will not have achieved anything: no data on X, no passwords on X that would allow lateral movement. If you want to share box X, have it reset to a known state after each user logoff (with VMs, this is easy).
If you don't like that thought: automate the creation of applocker rules, let accesschk list user-writable directories and create deny rules for non-admins on these folders.
What harm will be done? No one knows. Just monitor applocker logs (create mails whenever something is blocked) so that you get aware of it.

Answer 2

Hello

Thank you for your question and reaching out. I can understand you are having query related to NTFS security.

Please see below ways you achieve these.

1. Hide and Disable All Items on the Desktop
   GPO User Configuration > Administrative Templates > Desktop > Hide and Disable All Items on the Desktop
2. Prevent users from accessing C:\ using GPO.

User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer. Then on the right side under Setting, double click on Prevent access to drives from My Computer.

Reference :
https://learn.microsoft.com/en-us/answers/questions/129425/restrict-users-to-store-data-in-local-drive-deskto.html

-------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

I'm hoping someone from Microsoft might officially reply here, but I don't know if I should expect that. Is this mainly meant to be a user-to-user support forum?

Would it be better to submit this to Microsoft Paid Incident Support, or maybe I should submit this to some sort of Microsoft security related support for their antivirus / antimalware?