News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Tasks for the weekend – July 31st – what to do?

    Home Forums AskWoody blog Tasks for the weekend – July 31st – what to do?

    Viewing 3 reply threads
    • Author
      Posts
      • #2381063
        Susan Bradley
        Manager

        (Youtube here) This week I’m revisiting two discussions that have been going on regarding actions to be taken on two bugs that are not yet patched. Fi
        [See the full post at: Tasks for the weekend – July 31st – what to do?]

        Susan Bradley Patch Lady

        3 users thanked author for this post.
      • #2381097
        John
        AskWoody Plus

        Susan, I have checked out the Carnegie Mellon site and run the checks for  the permissions problem.

        I’m running Win 10 Pro 20H2 and was returned the following.

        C:\WINDOWS\system32>icacls %windir%\system32\config\sam
        C:\WINDOWS\system32\config\sam NT AUTHORITY\SYSTEM:(I)(F)
        BUILTIN\Administrators:(I)(F)

        Successfully processed 1 files; Failed processing 0 files

        The results indicated don’t quite fit my case (i.e. No “BUILTIN\Users:(I)(RX)”), so, am I vulnerable or not?

        Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

      • #2381146
        Susan Bradley
        Manager

        As people test for this we’re finding oddities in permissions.  As I understand it, if you have “C:\Windows\system32\config\sam: Access is denied. Successfully processed 0 files; Failed processing 1 files” then you are NOT vulnerable. Anything that isn’t that is vulnerable.

        Susan Bradley Patch Lady

        • #2381152
          EricB
          AskWoody Plus

          Running icacls as a non-administrative user may fail to process the SAM.  While this indicates that the file’s security descriptor does not grant read/execute access to the BUILTIN\Users group it does not establish that other inappropriate permissions are not present. I may be nit-picking but it seems to me that this is a distinction folks should be aware of.  A more definitive test would be to run icacls as an Administrator to verify that only the permissions that should be granted are listed.

        • #2381185
          John
          AskWoody Plus

          Thanks Susan,

          But the Carnegie Mellon site states:
          A system that is not vulnerable will report output like this:

          C:\Windows\system32\config\sam: Access is denied.
          Successfully processed 0 files; Failed processing 1 files

          So my elevated command prompt result seems to fall between 2 stools. Hence my question.

          Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

          • #2381251
            EricB
            AskWoody Plus

            When icacls is run with Administrator privileges (i.e., in an elevated command prompt) it is allowed to read the security descriptors.  A security descriptor for the SAM file that grants Full control to the SYSTEM account and the Administrators group looks OK to me.

            1 user thanked author for this post.
            • #2381275
              John
              AskWoody Plus

              Thanks @EricB, that’s reassuring!

              Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

              • #2381281
                EricB
                AskWoody Plus

                Here’s some more information that may help put your mind at ease.

                On a Windows 10 21H1 system this is what the security descriptor for the SAM file looked like before applying Microsoft’s workaround.

                Before Workaround

                Before-workaround
                Advanced Before

                Advanced-Before
                Note that in the Advanced Before image the “Inherited From” column for the three items with Read & Execute access contains “Parent Object” instead of the file system path for the config folder.  This indicates that Windows could not determine the origin of these ostensibly inherited permissions.  For more information about this you can read What does it mean when the Advanced Security Settings dialog says that an ACE was inherited from “Parent Object” without naming the specific parent?

                After applying Microsoft’s workaround this is what things looked like

                After-workaround
                and

                Advanced-After

                1 user thanked author for this post.
      • #2381521
        John
        AskWoody Plus

        Interesting @EricB.

        (I felt almost cheated that my SAM access was correct in the first place.)

        Dell Inspiron 7580 i7 16GB Win 10 pro 21H1

    Viewing 3 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Tasks for the weekend – July 31st – what to do?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.