locked
Strange bug in UAC RRS feed

  • Question

  • I have come across a really strange one:

    You will be able to reproduce this on any win10 or win8.1 system, most probably also on win7, but I have only tested those two.

    1 open secpol.msc, and grant the privilege "change the system time" to user "testuser"

    2 logon as testuser and try to change the time - works. Logoff.

    3 add testuser to another privileged local group, for example "network configuration operators"

    4 logon as testuser, try to change the time... Access is denied.

    Strange, isn't it? But as with all bugs in security matters, we need to analyze it. The same happens if in step 3 we use the group "power users". It does not happen for all local groups, though, for example not for the group "event log readers".

    Open to all comments :-)



    Wednesday, March 30, 2016 12:11 PM

All replies

  • Hi Ronald,

    Thanks for the comments.

    I think this should be related with the default group Access controls.

    See the default local groups:

    https://technet.microsoft.com/en-us/library/cc771990.aspx

    Those are pre-configured with special permissions, so based on my understanding, the ACLs which are defined on those groups might have some conflicts with the user rights you configured, and the system takes Denied in priority.

    Well the default user rights are not clear regarding those groups, so here is only my assumption.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Michael_LS Wednesday, April 6, 2016 7:37 AM
    • Unproposed as answer by Michael_LS Wednesday, April 6, 2016 7:37 AM
    Thursday, March 31, 2016 5:39 AM
  • Hi Michael.

    There are no denials configured. There is no "disallow to change the system time" even configurable, refer to https://support.microsoft.com/en-us/kb/315276 for a list of possible denials.

    I'd like to know if you have ever seen a group with denials imposed on it by default and which group that was.


    Thursday, March 31, 2016 7:59 AM
  • I proceeded and found out the following:
    When either in the groups network configuration operators or power users, the user gets a split-token at logon. People who are familiar with UAC will know what I am talking about, others, please stand clear of this question.

    The problem is: until they activate their full token by elevating, they also lose the privilege to set the system time. This can be verified using the command
    time
    to set the time once on a normal cmd and again on an elevated cmd - different results!

    For whatever reason, the GUI that let's us set the time is not correctly using UAC. It brings up a UAC prompt, but it doesn't accept the user's own credentials but will only accept those of an admin.
    On the command line this works.

    I will report this bug via win10 feedback app, but I guess it will never be resolved since MS has no resources for details like these.


    • Edited by Ronald Schilf Wednesday, April 20, 2016 9:07 PM
    • Proposed as answer by Michael_LS Thursday, April 21, 2016 2:28 AM
    Wednesday, April 20, 2016 3:55 PM
  • Ronald,

    Thank you for your sharing and update.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 21, 2016 2:29 AM