Explain Windows 10 Virtual Account (service acc) permissions

0

I am trying to run a PHP-CGI in a low-privilege Virtual Account (Win10 Pro).

How is this (See screenshot #1) possible?

I am running a PHP-CGI service, under a (Virtual) Account NT Service\PHP. The effective permissions of that user in C:\ are all forbidden. However, when running the MKDIR command in a PHP shell-script (that is being ran via PHP-CGI.exe by the NT Service\PHP user) I can create a directory in C:\ .... Is this a ridiculous security/permissions flaw or what am I missing here?

Screenshot #2 (running MKDIR)

Running "whoami" in the PHP-Shell gives: nt service\php

Bonus sidequestion: How can I create a Group of Virtual Accounts (service accounts), to easily set filesystem-permissions for multiple services at once?

Vinzentz

Posted 2019-07-22T04:45:53.773

Reputation: 1

I see, the PHP user is part of Authorized Users group. – Vinzentz – 2019-07-22T05:57:54.443

Answers

0

Okay I found out what caused this. The 'NT Service\PHP' user is part of the group 'Authenticated Users'.

For the bonusquestion: open lusrmgr.msc , create a group, add the appropiate NT Service\names accounts to the group.

Vinzentz

Posted 2019-07-22T04:45:53.773

Reputation: 1

Asked: 2019-07-22T04:45:53.773

Viewed: 148 times

Active: 2019-07-22T06:04:25.710