The "Power User" account isn't a good security compromise for running as a limited user on Windows

I've said it before and have been criticized. The Windows Power User is just NOT an acceptable account for least privilege. It is far too easy to elevate privileges to gain Administrative rights on the system. I have even shown this live during a presentation at a security conference. And still many disagreed with me. I can never figure that out.

But not Mark Russinovich. Mark has done an EXCELLENT job in investigating this and showing how simple it really is, all while creating a new Sysinternals tool to help in the investigation. On his blog today he posted about "The Power in Power Users". I think his conclusions are worth repeating here:

The bottom line is that while Microsoft could fix the vulnerabilities I found in my investigation, they can’t prevent third-party applications from introducing new ones while at the same time preserving the ability of Power Users to install applications and ActiveX controls. The lesson is that as an IT administrator you shouldn’t fool yourself into thinking that the Power Users group is a secure compromise on the way to running as limited user.

I highly recommend you check out Mark's post on the matter. And then check it out for yourself. You can download the AccessChk tool he used in the post over at Sysinternals by clicking here.

One thing worth mentioning and eluded to in Mark's post is the fact that in Vista, this attack vector has been plugged. Power Users rights are managed differently with UAC; they are treated as limited users from the get go. Then again, so is the Administrator account.