Incorrect default user profile permissions in Windows 10 Version 1607

Applies to: Windows 10, version 1607

Symptoms


In Windows 10 versions earlier than Version 1607 (RS1), the permissions for the %systemroot%\users\default folder are always set as follows:

Normal permissions

These permissions were changed in Windows 10 Version 1607. The local Users group have the following additional advanced permissions:

  • Create files/write data
  • Create folders/append data

Permission advanced

Permissions

The new permissions exist in the following scenarios:

  • Windows 7 Service Pack 1 (SP1) operating system (OS) that was upgraded to Windows 10 Version 1607 (RS1).
  • Newly installed Windows 10 Version 1607 OS.
  • Windows 10 Version 1607 OS that was upgraded to Windows 10 RS2 build 15025 retains the extra permissions.

A newly installed instance Windows 10 Version 1703 does not have these extra permissions.

Cause


This behavior is a defect in Windows 10 Version 1607.

Resolution


To fix this issue, install security update CVE-2017-0295 | Windows Default Folder Tampering Vulnerability.

This update partially fixes this issue by correcting the permissions on the Startup folder (C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). This fix is described in the CVE bulletin:

The security update addresses the vulnerability by correcting permissions on folders inside the DEFAULT folder structure.

However, after the update is installed, the other folders inside C:\Windows\Default retain these incorrect permissions.

Use one of the following two workarounds to correct the other permissions manually if it's necessary. 

Removing permissions for the Users group

The command first removes the granted permissions for BUILTIN\Users. Childrens of C:\Users\Default will inherit the appropriate permissions:

icacls C:\Users\Default /Q /C /T /remove:g BUILTIN\Users

This avoids having users get to this location to read objects that might be placed here.

Replacing permissions for the Users group

The command first sets the permissions for BUILTIN\Users to read-only. Childrens of C:\Users\Default will inherit the appropriate permissions:

icacls C:\Users\Default /Q /C /T /grant:r BUILTIN\Users:r

This approach sets the permissions to what is used in newer operating systems, and users can read the folder contents.

The resolution steps have to be run on all affected computers. To manage these permissions, consider following these steps:

  • Update your base Windows 10 Version 1607 images. Remove the permission from the base image so that all future installations of Windows 10 don't have the permissions.
  • Push the permissions changes to the computers that already have Windows 10 Version 1607 deployed by using Group Policy, Scripting, or another Automation solution.

For more information, see the "Configuring Permissions for a File System Directory" section of the Step-by-Step Guide to Using the Security Configuration Tool Set.