| TL;DR: Some Windows configuration have bad permissions on their SAM database.
If a standard user has access to shadow copies (VSS), this can lead to privilege escalation. Microsoft recommends to [1]: 1) Restrict access to the contents of %windir%\system32\config:
- Command Prompt (Run as administrator): icacls %windir%\system32\config*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config*.* /inheritance:e 2) Delete Volume Shadow Copy Service (VSS) shadow copies:
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired). -- Also, please note that some authorities seem to adress this subject carefully. The French national cybersecurity agency (ANSSI) has for instance published a News bulletin [2] but no "real" Security bulletin of this vulnerability [3]. In its News bulletin, the ANSSI specifies that it also affects Windows Vista RTM :). However, the ANSSI also says that deleting VSS entries (step 2 of Microsoft recommendations) "must be decided after evaluating the advantages and disadvantages with regard to the risks, in particular because there may be other possibilities for privilege escalation depending on the level of security of your information system." [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... [2] https://www.cert.ssi.gouv.fr/actualite/CERTFR-2021-ACT-031/ [3] https://www.cert.ssi.gouv.fr/alerte/ |