There are some legit features in the operating system that would allow you to do things you normally wouldn't with or without Administrator access.
You can use the available API's for example which run in Ring-3 mode of the x86 CPU.
Its a big operating system Win2k, I mean there are thousands of API's which I'm sure are exploitable,and they just haven't been found yet.
Process Tokens are interesting,I was reading an article last night about how to modify a process token of a process handle, to modify memory of another process you wouldn't normally have access to..that was a mouthfull.
I was experimenting a little last night with some security API's but haven't been able to create anything useful with them just yet.
Need to research a bit more,could be days,weeks even..
Or maybe I'll just give up trying to find a problem.
Also,I read a short article about the possibility of jumping to Ring-0 mode on Win2k using the API's which add LDT entries to the kernel.
The problem that the author encountered was the kernel validating the LDT entry.
But he also found out that depending on the value of the segment registers when calling the API,on some occasions,he would experience different results.
When I mentioned security programs for windows, I suppose yes, I was generally talking about software that locked down systems like Win95/98/ME because NT4/Win2k already has security features to allow you to do so.
Its a little more tricky, as you know
There is a flaw in Win2k before service pack 1+2 which allows anyone to execute commands with SYSTEM privilages.
Its a design error to do with NetDDE which is enabled by default after Win2k has been installed.
Dildog (Atstake) found this.
It would be cool to be able to circumvent win2k security features, who wouldn't want to find problems like that for a such a high profile operating system?
But it takes more work than finding these problems on Win9x..etc