Why Users dont have write rights to the %windir%\TEMP folder

Hello,

everything is in the title ;-)

Why users don't have the write access to the c:\windows\temp folder
(when Power Users have this access).

Is there a security reason for that ?

I will appreciate to have technical information about that as we have
an application that needs to let "Users" to have write access on this
folder and I will like to see if it is acceptable in terms of security.

Thank you

--
Eric

In message <> Eric
<> was claimed to have wrote:

>Hello,
>
>everything is in the title ;-)
>
>Why users don't have the write access to the c:\windows\temp folder
>(when Power Users have this access).
>
>Is there a security reason for that ?

Yes.

>I will appreciate to have technical information about that as we have
>an application that needs to let "Users" to have write access on this
>folder and I will like to see if it is acceptable in terms of security.

That's not the correct location for temporary files, any and every file
a user needs to write should be in their own profile directory.

The security risk here is that by allowing applications to use a central
temporarily file storage, it potentially allows a malicious user to
place a file here that will exploit a buffer overrun or other similar
bug in an application installed on the machine to cause that application
to do something unexpected.

An example I've seen in real life: A company has a logon script that
downloads a configuration file from the company network into
%systemroot%\temp and performs some configuration of the user's profile
based on that configuration file. A malicious user placed an alternate
configuration file into the %systemroot%\temp directory, marked it as
read-only, then called the help desk and made up a story that would
require the helpdesk to logon to the machine remotely with
administrative access.

When the helpdesk logged on, the logon script was unable to write it's
configuration file, failed to error out and instead proceeded to
configure an administrative level account with options set by the
malicious user. Specifically, a "net group administrators badguy /add"
type command was used, giving badguy way more permissions then they
should have had without anyone being the wiser.

Failing to isolate temporary files isn't automatically a vulnerability,
but it's one method a discovered vulnerability may escalate from being
local-user impacting to system impacting.

"Dave Warren" <dave-> wrote in message
news:...
> In message <> Eric
> <> was claimed to have wrote:
>
>>Hello,
>>
>>everything is in the title ;-)

In future, please put the entire content of your post in the body of the
post, and put only a descriptive "subject" in the subject line.

>>Why users don't have the write access to the c:\windows\temp folder
>>(when Power Users have this access).

By default, power user access is somewhere between administrator and user.
This allows you to give some regular users rights that will allow them to
assist other users. IMHO, this should be done by having special "power user"
accounts that are NOT to be used for other than assisting other users (i.e.
no internet browsing or running corporate applications). Ideally, they
should also have the basics of security explained to them so they don't go
and do something stiupid.

In my organization we have about 20,000 regular user accounts, perhaps 300
accounts having admin access on selected workstations and, in some cases,
servers. The number of "power users" of any type can be counted on the
fingers of zero hands.

>>Is there a security reason for that ?
>
> Yes.
>
>>I will appreciate to have technical information about that as we have
>>an application that needs to let "Users" to have write access on this
>>folder and I will like to see if it is acceptable in terms of security.
>
> That's not the correct location for temporary files, any and every file
> a user needs to write should be in their own profile directory.
>
> The security risk here is that by allowing applications to use a central
> temporarily file storage, it potentially allows a malicious user to
> place a file here that will exploit a buffer overrun or other similar
> bug in an application installed on the machine to cause that application
> to do something unexpected.
>
> An example I've seen in real life:

<snipped: an excellent, real-life example>

Unfortunately, the OP is hooped, unless this is an in-house developed
application that could be modified to comply more closely with security best
practices.

If you do proceed, what I would recommend is that you create a domain-level
security group that will contain all users of the application, and give
change access to the TEMP folder only to that group. Tighter control could
have such a group for each workstation, such that users of the application
would only have this access on the system they normally use for the purpose
rather than on every workstation.

/Al

I have come across one or two applications like that.
Sometimes you can pre-create the file in that folder, then give the users
Modify rights to that file only,
Anthony
http://www.airdesk.com



"Eric" <> wrote in message
news:. ..
> Hello,
>
> everything is in the title ;-)
>
> Why users don't have the write access to the c:\windows\temp folder (when
> Power Users have this access).
>
> Is there a security reason for that ?
>
> I will appreciate to have technical information about that as we have an
> application that needs to let "Users" to have write access on this folder
> and I will like to see if it is acceptable in terms of security.
>
> Thank you
>
> --
> Eric
>
>