Re: Windows update and EFS

From: Särs, Camillo (Camillo.Sars@F-SECURE.COM)
Date: 11/22/01


Message-ID:  <30B026EA81B98D4082E2FD73B14CB812224180@fsfimail1.FI.F-Secure.com>
Date:         Thu, 22 Nov 2001 10:11:01 +0200
From: "Särs, Camillo" <Camillo.Sars@F-SECURE.COM>
Subject:      Re: Windows update and EFS
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


>The problem, which has been already reported by Microsoft, is that if
>you use windows update all temporally installation files are created
>within the administrator profile directory and then moved to the system
>directory as a last step.

[...]

>Even if there is a Knowledge base file (Article ID: Q307012, I was
>actually installing direct X 8.1) explaining this behavior in a quite
>summarized way, I found it a bug that has to be repaired at least for
>all "windows update" scripts.

A quote from Q307012:
"This causes the service pack or hotfix files to be copied to the
%SystemRoot% folder as encrypted files."

Not even Microsoft seems to grasp the complicated semantics of "copying vs.
moving".

This again brings up the issues regarding ACLs and inherited ACLs under NTFS.
If a file is *moved* to a system directory, the process that does the move
should fix any ACLs and attributes (including encryption) before moving it.
(Well, according to the previous discussions, at least.) This is
prohibitively difficult, as the process needs to understand all attributes of
the file that might cause problems. Because of this, I think that the
sensible thing to do is to always *copy* files into system directories. This
will ensure that the new copy is created with ACLs that the system
administrator desires. The installation script can then change these ACLs if
required.

I might be out on a limb here, but I would actually go as far as to claim
that any process that *moves* files out of some temporary directory has got
the whole thing backwards. Temporary directories in secured installations
may have very "strange" ACLs. For instance, they would typically allow
access only for their owner, but possibly allow D for Authenticated users.
Not what you'd like to see in your system directory.

Regards,
Camillo Särs

Any opinions expressed above are mine, and do not necessarily reflect the
opinions of my employer.

-- 
Camillo Särs <Camillo.Sars@F-Secure.com>       http://www.iki.fi/ged/
Security Researcher, F-Secure Corporation      http://www.F-Secure.com

F-Secure products: Securing the Mobile Enterprise

====================================== Delivery co-sponsored by Trend Micro, Inc. ====================================== BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?siS&bi$5&ul=http://www.a ntivirus.com/smex2000_rebate



Relevant Pages

  • Re: SBS 2003, lost companyweb
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... The original Windows SBS installation was preinstalled by an OEM. ... Important You must change this registry entry on all domain controllers. ...
    (microsoft.public.windows.server.sbs)
  • Re: needs automated clean-up tool [Re: Office 2007 beta uninstall]
    ... for both us and the customers. ... to get rid of every trace of Office 2007 beta, but that wastes a great deal ... We really have to wonder if any of those representing the Microsoft line on ... Why is it so hard to understand that we expect the Microsoft installation ...
    (microsoft.public.office.setup)
  • RE: Fatal Error Installing XPsv2 Deployment for SBS sv1 Upgrade
    ... 825763 How to configure Internet access in Windows Small Business Server ... Microsoft CSS Online Newsgroup Support ... >> 325.547: Fatal error during installation. ...
    (microsoft.public.windows.server.sbs)
  • RE: Installation problem with companyweb
    ... Microsoft CSS Online Newsgroup Support ... | Thread-Topic: Installation problem with companyweb ... you need to send him a copy of the folder from your ...
    (microsoft.public.windows.server.sbs)
  • Re: Error when installing SQL server 200 on SBS 2003
    ... In fact I got the same error message when upgrading to SQL SP4 ... > Thanks for using SBS newsgroup. ... > "A previous program installation created pending file operations on the ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)