Why Users dont have write rights to the %windir%\TEMP folder

Discussion in 'Server Security' started by Eric, May 11, 2009.

  1. Eric

    Eric Guest

    Hello,

    everything is in the title ;-)

    Why users don't have the write access to the c:\windows\temp folder
    (when Power Users have this access).

    Is there a security reason for that ?

    I will appreciate to have technical information about that as we have
    an application that needs to let "Users" to have write access on this
    folder and I will like to see if it is acceptable in terms of security.

    Thank you
     
    Eric, May 11, 2009
    #1
    1. Advertisements

  2. Eric

    Dave Warren Guest

    In message <> Eric
    That's not the correct location for temporary files, any and every file
    a user needs to write should be in their own profile directory.

    The security risk here is that by allowing applications to use a central
    temporarily file storage, it potentially allows a malicious user to
    place a file here that will exploit a buffer overrun or other similar
    bug in an application installed on the machine to cause that application
    to do something unexpected.

    An example I've seen in real life: A company has a logon script that
    downloads a configuration file from the company network into
    %systemroot%\temp and performs some configuration of the user's profile
    based on that configuration file. A malicious user placed an alternate
    configuration file into the %systemroot%\temp directory, marked it as
    read-only, then called the help desk and made up a story that would
    require the helpdesk to logon to the machine remotely with
    administrative access.

    When the helpdesk logged on, the logon script was unable to write it's
    configuration file, failed to error out and instead proceeded to
    configure an administrative level account with options set by the
    malicious user. Specifically, a "net group administrators badguy /add"
    type command was used, giving badguy way more permissions then they
    should have had without anyone being the wiser.

    Failing to isolate temporary files isn't automatically a vulnerability,
    but it's one method a discovered vulnerability may escalate from being
    local-user impacting to system impacting.
     
    Dave Warren, May 11, 2009
    #2
    1. Advertisements

  3. Eric

    Al Dunbar Guest

    In future, please put the entire content of your post in the body of the
    post, and put only a descriptive "subject" in the subject line.

    By default, power user access is somewhere between administrator and user.
    This allows you to give some regular users rights that will allow them to
    assist other users. IMHO, this should be done by having special "power user"
    accounts that are NOT to be used for other than assisting other users (i.e.
    no internet browsing or running corporate applications). Ideally, they
    should also have the basics of security explained to them so they don't go
    and do something stiupid.

    In my organization we have about 20,000 regular user accounts, perhaps 300
    accounts having admin access on selected workstations and, in some cases,
    servers. The number of "power users" of any type can be counted on the
    fingers of zero hands.
    <snipped: an excellent, real-life example>

    Unfortunately, the OP is hooped, unless this is an in-house developed
    application that could be modified to comply more closely with security best
    practices.

    If you do proceed, what I would recommend is that you create a domain-level
    security group that will contain all users of the application, and give
    change access to the TEMP folder only to that group. Tighter control could
    have such a group for each workstation, such that users of the application
    would only have this access on the system they normally use for the purpose
    rather than on every workstation.

    /Al
     
    Al Dunbar, May 12, 2009
    #3
  4. I have come across one or two applications like that.
    Sometimes you can pre-create the file in that folder, then give the users
    Modify rights to that file only,
    Anthony
    http://www.airdesk.com
     
    Anthony [MVP], May 12, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.