COMMAND

    profile permissions

SYSTEMS AFFECTED

    Win Terminal Server

PROBLEM

    David  LeBlanc  posted  following.   There  are  a lot of security
    issues with concurrent  multi-user NT machines,  but one that  has
    immediate  impact  (and  your  question  brings  to  mind) is that
    HKLM\Software\Microsoft\Windows  NT\CurrentVersion\ProfileList  is
    world-writable.   If you  also have  access to  the file system at
    %systemroot%\profiles, the  defaults there  allow you  to create a
    new  profile  (though  not  tamper  with  existing profiles).  The
    exploit is obvious - the ProfileList key gives you the SID of  all
    the users who have logged  onto the machine 'locally', so  you can
    pick  a  nice  juicy  admin  user,  you then create a new, trapped
    profile (say default  + extras), point  their profile path  to the
    trojan, and next time they log in, your evil deeds are done.

SOLUTION

    In David testings, nothing but the LocalSystem user ever  accesses
    any of the keys under  ProfileList, so if you set  the permissions
    to admins:F, system:F, everything should work and it would now  be
    safe.  Note that when new keys are created, it simply inherits.