Regular user account running under high integrity level -What can be the reason?
Two (separate) Windows Server 2008 Enterprise Terminal Servers. Regular (domain) users run in the expected medium integrity level on one, but high on the other. The local group membership is identical.
What, other than local group membership, can cause a regular user account to run in the "high mandagory level" instead of the "medium mandatory level"? Local policies? UAC settings? (Looking at the Control Panel, UAC is turned off on both)
This is whoami /groups taken from the server with the unexpected behaviour. As you can see, the user is not a member of any groups considered high privilege, yet the integrity level is: High Mandatory Level
Domain groups filtered to protect the innocent.
GROUP INFORMATION
-----------------
Group Name Type
SID
Attributes
======================================= ================ =======================
======================= ========================================================
=======
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288
Mandatory group, Enabled by default, Enabled group, Local Group
How does a seemingly regular user account end up with "Mandatory Label\High Mandatory Level"?
whoami /groups taken from the server with the expected behaviour:
GROUP INFORMATION
-----------------
Group Name Type
SID
Attributes
======================================= ================ =======================
======================= ========================================================
=======
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192
Mandatory group, Enabled by default, Enabled group, Local Group
The only difference is the order BUILTIN\Remote Desktop Users and BUILTIN\Users is listed in.
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
April 8th, 2011 12:09pm
FYI: One difference is the service pack. The one that works as expected is SP1, the other one that's showing odd behaviour is SP2.
Anyone have ideas?
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 12:17pm
shit, interesting, but I am not the one with any ideas :-)
I would try my luck with some High process starting the child processes.
Or, it now occured to me, go and check with CHML level of the CMD and WHOAMI executables. It may be that only the two (or WHOAMI alone) are running at HIGH.
I would also use Process Explorer to investigate group memberships and levels of other processes of the same user.
ondrej.
April 12th, 2011 9:13pm
Yeah, all processes for the user are running with high integrity level.Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 4:14pm
and does the process epxlorer show what process they were started from? ... the tree structure.
ondrej.
April 13th, 2011 4:21pm
Everything is running as "High" (or "System", nothing at all is "Medium" or "Low", for any user), explorer.exe included, which has userinit.exe as parent.
CHML shows the same output for both servers:
File C:\Windows\explorer.exe's integrity level: Unknown
("unknown" because SDDL string was "S:AI".)
Inheritance flags:
Integrity policies:
No read up: disabled
No execute up: disabled
No write up: disabled
(Actually, in this "no policy" case, Windows seems to behave as if there is a "no write up" policy in effect.)
It's the same output for userinit.exe. Icacls does not show integrity level for either executable.
This is quite interesting, to say the least.Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2011 2:00pm
veery interesting, we can ask support if they offer any hint?
ondrej.
April 14th, 2011 2:37pm
Andreas
Did you find out what caused the integrity level
? I seem to have the same problem.
Gr, Iwan
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 9:08am
Hi,
No, unfortunately not. This one still eludes me.
Out of curiosity, how did you notice this behavior on your server?
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
October 7th, 2011 9:58am