News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Tasks for the weekend – July 31st – what to do?

    Home » Forums » AskWoody blog » Tasks for the weekend – July 31st – what to do?

    Author
    Topic
    #2381063

    (Youtube here) This week I’m revisiting two discussions that have been going on regarding actions to be taken on two bugs that are not yet patched. Fi
    [See the full post at: Tasks for the weekend – July 31st – what to do?]

    Susan Bradley Patch Lady

    3 users thanked author for this post.
    Viewing 2 reply threads
    Author
    Replies
    • #2381097

      Susan, I have checked out the Carnegie Mellon site and run the checks for  the permissions problem.

      I’m running Win 10 Pro 20H2 and was returned the following.

      C:\WINDOWS\system32>icacls %windir%\system32\config\sam
      C:\WINDOWS\system32\config\sam NT AUTHORITY\SYSTEM:(I)(F)
      BUILTIN\Administrators:(I)(F)

      Successfully processed 1 files; Failed processing 0 files

      The results indicated don’t quite fit my case (i.e. No “BUILTIN\Users:(I)(RX)”), so, am I vulnerable or not?

      Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

    • #2381146

      As people test for this we’re finding oddities in permissions.  As I understand it, if you have “C:\Windows\system32\config\sam: Access is denied. Successfully processed 0 files; Failed processing 1 files” then you are NOT vulnerable. Anything that isn’t that is vulnerable.

      Susan Bradley Patch Lady

      • #2381152

        Running icacls as a non-administrative user may fail to process the SAM.  While this indicates that the file’s security descriptor does not grant read/execute access to the BUILTIN\Users group it does not establish that other inappropriate permissions are not present. I may be nit-picking but it seems to me that this is a distinction folks should be aware of.  A more definitive test would be to run icacls as an Administrator to verify that only the permissions that should be granted are listed.

      • #2381185

        Thanks Susan,

        But the Carnegie Mellon site states:
        A system that is not vulnerable will report output like this:

        C:\Windows\system32\config\sam: Access is denied.
        Successfully processed 0 files; Failed processing 1 files

        So my elevated command prompt result seems to fall between 2 stools. Hence my question.

        Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

        • #2381251

          When icacls is run with Administrator privileges (i.e., in an elevated command prompt) it is allowed to read the security descriptors.  A security descriptor for the SAM file that grants Full control to the SYSTEM account and the Administrators group looks OK to me.

          1 user thanked author for this post.
          • #2381275

            Thanks @EricB, that’s reassuring!

            Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

            • #2381281

              Here’s some more information that may help put your mind at ease.

              On a Windows 10 21H1 system this is what the security descriptor for the SAM file looked like before applying Microsoft’s workaround.

              Before Workaround

              Before-workaround
              Advanced Before

              Advanced-Before
              Note that in the Advanced Before image the “Inherited From” column for the three items with Read & Execute access contains “Parent Object” instead of the file system path for the config folder.  This indicates that Windows could not determine the origin of these ostensibly inherited permissions.  For more information about this you can read What does it mean when the Advanced Security Settings dialog says that an ACE was inherited from “Parent Object” without naming the specific parent?

              After applying Microsoft’s workaround this is what things looked like

              After-workaround
              and

              Advanced-After

              1 user thanked author for this post.
    • #2381521

      Interesting @EricB.

      (I felt almost cheated that my SAM access was correct in the first place.)

      Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

    Viewing 2 reply threads
    Reply To: Tasks for the weekend – July 31st – what to do?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.