T 2.115 Inappropriate handling of standard security groups in Windows server 2003 and higher
In the Windows Server operating system as of version 2003, additional standard groups were added to the security groups already built in to Windows 2000 Server. The rights for these groups cannot be restricted in some cases, and full documentation is not provided by the manufacturer for all authorisations. Certain authorisations are not displayed and cannot be administered, such as those for the Network Configuration Operator group.
The groups themselves do not pose a general threat, but a lack of knowledge of how these groups work and what is considered inappropriate use can lead to the deliberate or accidental abuse of administrator privileges and to faulty configuration of the system. However, lack of knowledge regarding the method of operation of such groups as well as their inappropriate use may result in intentional or accidental misuse of administrator rights and in misconfiguration of the system.
New groups with Windows Server 2003 and higher are:
- Help Services Group
This group for the help and support centre is not needed for the administration and operation of the server but is capable of being misused or incorrectly configured because the group can be granted wide-ranging authorisations for administration tools. - Network Configuration Operators
Members of this group can set and change the parameters of the TCP/IP stack and can therefore make the server inaccessible or open to attack. - Performance Monitor Users and Performance Log Users
Performance monitor users are allowed to execute and operate the System Monitor program (perfmon.exe) without requiring special authorisation. Members of the Performance Log Users group can view and administer the system monitor logs and can configure it to record monitoring data. They have direct access to part of the Windows Management Instrumentation (WMI) database. The information in performance and usage logs is critical to security, just like information on failures and malfunctions that could indicate possible attempts to attack.
A threat is posed when user accounts unintentionally obtain additional authorisations through these groups. - Remote Desktop Users
Members of this group can also log in to a member server or stand-alone server from another computer using the Remote Desktop Protocol (RDP) and then work on the server as if they were sitting directly in front of the physical system. This poses a risk since every normal user can log in to the server in this manner without requiring any additional, special authorisation. - Distributed COM Users
In Windows Server 2003 with Service Pack 1 or higher, there are detailed authorisation structures available for distributed COM objects (DCOM) to enable better control of the execution of COM modules and the activation of COM objects. In particular, execution from other clients using Remote Procedure Calls (RPC) is easier to control using these structures. Many Windows functions can be controlled using COM objects, including Windows Update, guideline result sets, and certificate services. The authorisations are configured in the console "Component service". By default, the distributed COM users have the highest authorisation limit, which even extends beyond the rights granted to normal administrators. Improper handling of this group can make the improved DCOM security functions ineffective or even increase the risk of attack on the system. - Creating incoming forest trust relationships
Since Windows 2003, this group is new on domain controllers. Members of this group can create unidirectional, incoming trust relationships to the Active Directory forest of an IT system. Using trust relationships, rights can be exercised in the other domain environment. So, misuse or negligent handling of this group may provide multiple possibilities to attackers to influence the whole information system.
With Windows Server 2008, further groups are present after installation. This applies both to standalone systems and to servers within a domain.