What happens when you want to share your computer with someone else, but you’re really not in a charitable mood? Create a new user, of course. I know that it sounds like a no-brainer, yet, truth be told, following Windows 10’s account-creation walkthroughs are not what you might call ‘on point’. So, how to create a new user on Windows 10?
So, if you’re still searching for other UAC-creation step-by-steps guides, look no further because I got you covered. This not-so-small guide will walk you through the entire process. Here you will learn all about the user account GUI, how to enable ‘God mode’ on your PC, and how to turn your machine into a kiosk computer. So, without further ado, here’s how account-creation works in Windows 10.
How to create a new user on Windows 10 (Easy Way)
Compared to older Windows builds (XP, Windows 7 or Vista), it’s quite easy to create a new user on Win 10. Now, why would someone do that? Well, creating one or several users on the same machine isn’t some whim, but a very ‘hygienic’ cybersecurity practice.Even if you’re the one and only owner of the PC, it’s still a good idea to use a non-administrative account in case you wind up on the wrong side of the Internet (best time to wonder about how to create a Windows 10 account).
Doesn’t matter what kind of malware your computer picks up – running your PC on a typical, non-admin account, ensures that the ‘nastinesses’ can’t gain a foothold in the system and start messing around with functions and processes (i.e. boot. ini, msdos.sys, autoexec.bat, io.sys, svchost.exe).
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
Adding a new user through Accounts’ GUI
Now, the fastest way to create a new user account on Windows 10 is through Settings. Here’s what you’ll need to do:
Step 1. Hit or tap the Start button.
Step 2. Click or tap on the Settings button (that would be the “gear” icon). You can also access Settings by hitting the Windows key on your keyboard and writing “Settings” in the search bar.
Step 3. In Settings, click or tap on Accounts (the icon should be right under Network & Internet).
Step 4. Under Accounts, click or tap on Family & other users.
Step 5. Look under Other users and click on the “+” (plus sign) next to Add someone else to this PC to create a new account on your machine.
Step 6. Choose how the new user will log in his account: Xbox, Office Online, OneDrive, Office, or Skype. Type the address in the bar and hit the Next button.
Step 7. Review the details and press the Finish button to complete the registration process.
That’s it – the new user can log in by typing in his Microsoft username and password. Now, you should keep in mind that this method can only be used in conjunction with one of the above-mentioned accounts. If you want to create a local account (no online account verification required), follow the steps below.
How to create a local account with Windows 10
Step 1. Click or tap on the Start button.
Step 2. Head to Settings.
Step 3. Click or tap on Accounts.
Step 4. Go to Family & other users.
Step 5. Under Other users, click or tap on Add someone else to this PC.
Step 6. In the bottom part of the page, click or tap the hyperlink reading I don’t have this person’s sign-in information.
Advice: If the user you’re about to add doesn’t have a Microsoft account, don’t mess around with the email and passwords fields located in the upper part of the screen.
Step 7. Click or tap on the hyperlink reading Add a user without a Microsoft account.
Step 8. In the account registration window, enter the name of the person who’s going to use the computer and choose a password (hint: don’t use “1234” or “qwerty”, wink-wink). Reconfirm your password and set a hint. When you’re done, press the Next button to complete the registration process.
Okay, I have to admit that all of these steps seem basic enough, but the good news is that Windows 10’s account-managing platform allows the user (that’s you) to ‘mess’ around with privileges. Let’s assume that the account you’re about to create is for a family member.
If you’re not too comfortable with the idea of letting him or her mess around with certain applications, you can easily restrict access. How to do that, you ask? Easy – just turn the computer in a kiosk, and everything will be hunky-dory.
How to add a user to kiosk
A kiosk-like machine works, more or less, like those public info booths – they can be used to check a destination, look up information about certain tourist traps, etc. Well, you can do the same with a computer if you’re looking to curb an account’s activity. Just follow the steps below to link an account to a kiosk – best answer to how to create a new user on Windows 10 question.
Step 1. Create a new user on your Windows 10 machine using one of the featured methods.
Step 2. When you’re done, head to the Family & other people section.
Step 3. On the right side of the screen, click or tap on the Set up assigned access hyperlink (it’s right at the bottom, right on top of the Set up an account for taking tests at your school feature).
Step 4. In the next screen, link your new user account to the kiosk. Just hit the “+” (plus sign) under the choose an account section and, well, choose.
Step 5. After selecting your “kiosk” account, choose the apps that the new user will be allowed to access. You will find this under the account selection section.
That’s about it on how to turn a newly-created account into a kiosk-like user. Sure, you can always sign out from all your online accounts, but why bother when you can select which apps the new user can access. Several clicks later, the account’s ready to be used. And yes, you can stop worrying about someone messing up your Netflix playlist and preferences.
How to set up a test/school user account
Of course, you can always take the restriction game to the next level literally turning your computer into a tech version of Hotel California (such a lovely place, indeed). Remember the “Set up an account for taking tests at your school” feature I mentioned earlier?
FYI: it also works for cases when you really don’t want someone to visit non-educational (ahem!) websites. Here’s what you need to know in order to create a test or school account.
Step 1. Go to Accounts.
Step 2. Head to Access work or school.
Step 3. Click or tap on Set Account for taking tests.
Step 4. Select a test-taking account from the drop-down box.
Step 5. Enter the test’s web address.
Hint: if you want to set up an account for your kid, type in the address of an educational website (i.e. National Geographic, Discovery, Sparknotes, Brightstorm). Bear in mind that once the user logs in, he will be unable to access web content other than the website written in this field.
Step 6. Enforce additional restrictions (i.e. require printing, allow screen monitoring and allow text suggestions).
(Optional) You can use Microsoft’s Set up an account for taking tests to feature in conjunction with a lockdown API which basically clamps down the account when the time’s up.
Going Super Saiyan with Your New Account
If you want to step up your account-creation game, there’s a way to create a super user. Yes, I know that there shouldn’t be anything else above sysadmin, but Microsoft managed to prove us wrong.
Called the ‘God Mode’, this type of user is not exactly what one might expect, given the name (a gateway to the birthplace of the Internet or something). It’s actually just a regular admin account, but with a couple of nifty twists. Remember when you had to call up the administrative tools menu from control panel each time you wanted to format a disk partition or manage your computer’s certificates?
Well, with ‘God mode’ you will be able to perform these tasks directly from Win Explorer’s quick access wheel or from the desktop. Still wondering about what tools you’ll be able to mess around with while in ‘God Mode’? Here’s a quick rundown.
- Indexing Options.
- Administrative tools.
- Color Management.
- Date & Time.
- Credential Manager.
- Internet Options.
- Keyboard + mouse.
- Pen & Touch.
- Phone & Modem.
- Network & Sharing Center.
- Power Options.
- Tablet PC setting.
- Taskbar & navigation.
- User Accounts.
- Windows Defender Firewall.
- Windows Mobility Center.
- Work Folders.
- Speech recognition & more.
Word of advice: before attempting to activate Win10’s ‘Super Saiyan’ mode, keep in mind that having a single user account, supercharged with privileges, makes you an easy target for hackers.
What it all boils down to is this – if a single malware manages to bypass your security, it will have access to everything. And when I say “everything”, I really mean every single and sensitive function of your PC. So, as the saying goes: “tread softly and carry a big gun” (which in this case is a top-notch antimalware software).
How to enable ‘God Mode’ on your PC.
Step 1. Create a new account using one of the methods listed in this guide.
Step 2. Right-click anywhere on your desktop.
Step 3. Highlight and left-click on Folder.
Step 4. Right-click on the newly created folder and hit Rename.
Step 5. In the text field, copy & paste or write the following line:
N.B. if you don’t like how “GodMode” sounds, you can replace it with anything you like. Just be sure to write the alpha-numerical string after the name exactly as it is. Otherwise, you will receive an error message reading :“you must type a file name.”
Step 6. Hit Enter or click anywhere on the desktop to continue. If everything’s right, the folder icon will change to a control panel-like icon.
Step 7. Double-clicking on it will take you to Win Explorer’s quick access wheel.
Step 8. Profit and tweak like a boss! The ‘God Mode’ gives you access to over 200 functions, some of them being on the more exotic side (set up iSCSI initiator, set up ODBC data sources for x86 and x64 etc.).
Adding a new user account to your PC (Geek Way)
Win10’s account menu is, indeed, the fastest way to create a new user, but not the only one. If you’re up for writing some code lines, I’m going to show you how to do the same thing from CMD (Command Prompt). Let’s dig right into it.
How to create a local account with CMD
Step 1. Fire up the Start menu.
Step 2. Type in “command prompt”.
Step 3. Right-click on the “command prompt” icon and select the Run as administrator option.
Note: it’s required to run CMD in admin mode to create new accounts.
Step 4. When the UAC splash appears, click Yes to continue.
Step 5. Add a new user and assign a password. To do this, type in the following character string:
C:\Windows\system32\net user John newnumberwhodis /add
Note: you can change the name and password with anything you like. Just be sure to type in the “net user” command at the beginning of the code line, and the “/add” at the end.
Step 6. Hit Enter. If done correctly, you will receive the following prompt: “The command completed successfully”. Check your Accounts menu to review the new user’s details.
Note: although I would advise against it, you can create a ‘passwordless’ user (a person can log in without a password). To do that just type in the line above but omit the password string.
Here’s a quick example:
C:\Windows\system32\net user Smith /add
How to grant admin privileges with CMD to a newly created account
Here’s what to do in order to grant admin privileges to the newly made account.
Step 1. Hit the Start menu.
Step 2. Search for “command prompt”.
Step 3. Run CMD (command prompt) as administrator.
Step 4. Type in the following string:
C:\WINDOWS\system32\net localgroup administrators John /add
Note: you can’t directly create an admin account. You’ll first need to create a local user and then update it to admin.
Advanced tweaks and features
- Add new user account to a domain: C:\Windows\system32\net user John newpcwhodis /ADD /DOMAIN.
- Assign a full name to new UAC: C:\Windows\system32\net user John newpcwhodis /ADD /FULLNAME:”John_Delaware”
- Allow new user to change password: C:\Windows\system32\net user John newpcwhodis /ADD /PASSWORDCHG:Yes
- Deny password change request to the new user: C:\Windows\system32\net user John newpcwhodis /ADD /PASSWORDCHG: NO
5 Security Tips to Safeguard Your Newly Created Account
Congrats on creating a new account on your machine! Now, as one good turn deserves another, let’s see what you can do about your account’s cybersecurity. Here are five awesome tips on how to make your PC safe again.
#1. Deploy antimalware/antivirus software on your PC.
Probably the most painless way to ensure that your PC is protected. Now, if you haven’t already deployed an antimalware and antivirus solution on your machine, don’t forget to install it for all users. It’s of no use having an AV/AM on your device if it’s set to protect a single account.
Sure, hackers always gun for accounts with elevated privileges but do keep in mind that an unsecured local account can also become a breaching point. So, as always, if you want to save a couple of bucks, give Starbucks a rest; don’t settle for an inefficient AM/AV solution because that’s how every malware ‘love affair’ begins.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Thor Foresight
#2. Careful with Plug-and-Play devices
Yes, I know that nowadays it’s all about cloud storage, but there are still a few of us who carry ‘obsolete’ external storage devices such SD cards, flash pens, and portable hard-drives. As one of my colleagues noted in her article on actionable cybersecurity tips, never, ever, should you plug a USB device that came from an unverifiable source.
#3. Need a bathroom/cig break? LOCK UP YOUR PC!
If you’re a slob just like yours truly, then you most certainly don’t lock up the computer each time you go on a lunch break or for a little smoke. Bad decision! By not locking up your PC, you basically tell everyone: “Hey! My computer’s up for grabs. Get it while it’s hot!”.
So, if you want to prevent someone from tampering with your PC (or wake up with Nicholas Cage’s face set as the desktop background), do yourself a favor and lock up your station every time you feel like leaving the room.
#4. Keep tabs on your account
It doesn’t matter if you’re using your brother’s/sister’s/SO’s computer; that account is your responsibility and yours alone! If you come across any activity that may qualify as suspicious, run a quick malware scan, and get in touch with the admin ASAP.
On that note, you should definitely refrain from opening suspicious email attachments, using an unsecured network, or downloading pirated content (i.e. games, movies, software).
#5. Revamp your default password
In most cases, the person creating your account will ask you to change it to something else. Take your cybersecurity game up a notch and choose a strong password. Remember that a solid passkeys should have at least 8 characters. Try a combo of upper- and lowercase letters, symbols, and numbers. You know what they say: there’s safety in numbers; and yes, the longer the password, the harder it will be for someone to crack it open.
It has certainly been a long trip getting from “how do I create a new UAC?” to “let me add a string in CMD to prevent the user from changing his password”. Always remember that using an account other than admin is a very good call since it prevents most malware from messing around with your device’s sensitive functions. As always, if you have any questions or rants, do shoot me a comment. Cheers!
Don’s laptop is infected with malware and he’d like a clean machine, what’s the best way?
What’s the cheapest way to get my Windows laptop swept and cleaned out of malware etc? Don
There are two obvious ways to clean a Windows laptop, and both of them are free. The first is to run a number of anti-malware programs to find and remove the bad stuff. The second is to reset it to factory condition.Continue reading...
The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.
From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.
Should you be concerned?
WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.
So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone. Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.
How to Prevent
Update the WhatsApp app.
- Open the Apple AppStore App
- Search for WhatsApp Messenger
- Tap 'Update' and the latest version of WhatsApp will be installed
- App Version 2.19.51 and above fixes the vulnerability
- Open Google Play Store
- Tap the menu in the top left corner
- Go to “My Apps & Games”
- Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
- App Version 2.19.134 and above fixes the vulnerability
How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability
Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay.
To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.
- New Meltdown: Researchers discover New Hardware Vulnerability in Modern Intel Processors
- Vulnerability CVEs
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
In particular, regardless of its respected heritage, for us, Lenovo wasn't an option, since it is partly owned by the Chinese Govt.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!
Windows Update Downloaded and Installed an Untrusted
Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this.
How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
Unacceptable and Deeply Concerning
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane
Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)
Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
- I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
- I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
- I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
- I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
- I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?