Windows Server Logo 2015

Administrative Rights and Viruses

This is strange and confounding, but seemingly something that clearly makes sense when put up to basic scrutiny. The pitch, as Karl Palachuk puts it, is that Windows users who are not locally administrative users cannot be infected with viruses. This is an absurd and wrong line of thinking from someone who professes to have been in the IT industry for more than 25 years. But, we can all be wrong, so I say own it, Karl. I’m a little surprised no one has actually discussed this much up until now.

Naturally, he has a whole bunch of pseudo-vague thoughts around the idea that no user without admin rights can be infected with a virus.

Step One: Have a good, current anti-virus program.
Step Two: You need a good patch management system.
Step Three: No one in your company should have “administrative rights” on your computers.
Step Four: You need a good firewall with an anti-virus module installed.
Step Five: You need good habits.
If I were to insist on a sixth, it would be web based filtering.

Right, and really, those are all great suggestions about how you can protect users from viruses, but it also takes away from the main idea behind his “wrong” assertion, and that is that he challenged (rather arrogantly) those of us in the industry to prove that user without admin rights can get a virus.

I feel like he was given many opportunities to see the error of his ways (by those that commented on his post), and still, he seems to insist that this is impossible. For no other reason than his fallacy is one of the many myths that plague those of us in I.T., I feel like I want him to understand – even by setting up a computer or virtual machine to show this. 1

Why is it possible to be infected as a non-administrative user on Windows? Well, it boils down to two simple things:

  1. User’s Context
  2. User’s Execution Rights

So, (1) is the more straightforward of the two. Every user, administrative or not has a set of permissions on various resources related to his/her profile. This allows the user – in a default non-administrative or “limited user” context to modify the desktop, add or remove files from the user’s “Documents” folder and essentially write to areas of the “Current_User” registry key.  2

In (2) the user’s execution rights relate to what programs can run. Generally, the user is able to run applications that don’t require administrative privileges such as Notepad or Microsoft Word. When these applications have “working” data, they’ll write to what’s commonly called the “AppData” folders that the user can read and write from. Applications need to be written to be nice about these things, and most post-Windows XP applications are. 3

So, given a user who runs as a Non-Administrative user on Windows (locally or in the domain), can that user be infected with a virus? Yes.

That user can save the virus application by way of the many dropper tools or via an email attachment. The user’s context allows them to save these files anywhere they have permissions such as the Desktop or the Documents folder. 4

Then, with the file saved, the user can run it. As a default non-administrative user, they can run “.exe” files saved to AppData for example. As long as the virus keeps its execution and drive modification routines within the user’s context and execution privileges, no problem so far. The virus runs in the background.

At this point, the virus will have write access to all files in the user’s Documents folder and encrypt all files there, it will have the ability to encrypt the User’s Favorites and modify them to go to pop-up sites, the virus will also be able to hide 5 all links in the user’s space in the Start Menu. Then, this virus will turn to any accessible shared folders and it may encrypt everything it can edit out there. This is not true as a theory, it is true because I have seen it.

Even worse, however, my most recent comment has been moderated into the ether. I promise I wasn’t being rude. “Disagreements welcome!”, my ass.

  1. Sadly, I cannot find a virtual machine with which to test this, nor do I have the time to build it. I may yet do it.

  2. It is important to note that many of these things can (and should) be further restricted via group policy or permissions.

  3. These too can be further restricted. Crypolockers, in particular, can be prevented by restricting what applications a user can run and the placing of “exe” files in Appdata folders. But this is not what Karl is talking about.

  4. Naturally, the virus executable or script has to be so new that no virus scanner catches it. But, we’re talking about administrative rights, not the efficacy of virus scanners here. Let’s be clear on that. You could have built up an amazing scanning process, and yet that 0-minute  virus may get through.

  5. Via Attributes