MakeMeAdmin follow-up

[Update Aug 6 2012: Attached the file to this blog post because the external hosting server is being decommissioned.]


Shortly after I first posted MakeMeAdmin, it was pointed out to me that it didn’t work correctly if the current user account had embedded spaces in the name.  I posted a correction in the comments of that post, but I never got around to updating the download version until now.


The updated contains three script files:  MakeMeAdmin.cmd and MakeMePU.cmd temporarily elevate to admin and to Power User, respectively, as before but now work correctly with embedded spaces in the user name.  The new script is MakeMeAdminSC.cmd.  MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option.  Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN.  (In order to work, the smart card needs to be associated with the account you’re currently logged in under.)


More on “Default Owner”


In my first MakeMeAdmin post, there’s a section called “Objects created while running with elevated privilege,” the main parts of which I’ll recap here:


Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it.  Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control….  Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group.  The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group….


If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates.  Those access rights will remain even when I am no longer running with administrator privileges.  That’s not what I want at all.  I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it.


I concluded by saying:


For this reason, I changed the “default owner” setting on my computer to “Administrators group”.


Today I would like to go further:  If you are going to use the same account for admin and non-admin activities (e.g., with MakeMeAdmin), I strongly recommend that you change the “Default owner” setting on your computer to “Administrators group”.


Why?  Well, the malware problem is not going away any time soon.  Running with limited privilege will not make the bad guys stop trying to own your computer – there is far too much profit on the line.  Today, running as a normal User instead of as an admin is tremendously effective against malware, because most malware is not designed for lower-privilege scenarios and it just fails.  But as more people begin running as non-admin, the miscreants will adjust accordingly.  Running as LUA, they will have to find new ways to hide their stuff and to get their stuff to run.  You don’t want to give them the ability to write to the folders containing the programs you run every day, especially if you also run the same programs as admin.


When setting up a new system, I would recommend changing the “default owner” setting as early as possible, and using the built-in Administrator account to install as much as possible.  Don’t create or log in with your normal account until after “default owner” has been changed.


Note that changing the security setting does not change the ownership or access control lists (ACLs) of existing objects, only objects created afterwards.  It might be wise to review the security attributes of folders, files and registry keys on your system, or even to consider wiping your system and starting over.  (Tip to get started:  “DIR /Q” displays the owner of listed files and folders.  Try this in your Program Files folder.)


For Windows XP Professional:


To change the setting on Windows XP Professional, open “Local Security Policy” in Administrative Tools, or run secpol.msc.  You need to be an admin to use this tool.  In the left pane, browse to Security Settings \ Local Policies \ Security Options.  The policy name is “System objects: Default owner for objects created by members of the Administrators group”.  The allowable settings are “Administrators group” or “Object creator”.  Change it to “Administrators group.”


For Windows XP Home Edition:


The “Local Security Policy” utility is not available on Windows XP Home Edition.  To change the setting on XP Home, you need to modify the Registry directly.  All caveats about mucking with the Registry apply here.  You need to make this change while running as admin, so if you mess up, you can really mess up!  In RegEdit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.  Find the value called “nodefaultadminowner”.  The supported values are “0” for “Administrators group”, or “1” for “Object creator”.  Set the value to 0.