Re: CWS = Crummy Windows Security

From: Ron Parker (ron_at_PARKRRRR.COM)
Date: 10/08/04

  • Next message: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
    Date:         Fri, 8 Oct 2004 10:13:53 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    At 04:18 PM 10/7/2004 -0600, Bartlett,James D wrote:
    >Well, the default user of a basic XP installation always has admin
    >rights. Every distressed CWS victim that I have ever dealt with was a
    >low-level user running a single account on a non-domain personal
    >machine. Being the only user on their machines, they were all admins.

    Since you're the second or third person to reply with something like
    this, I obviously wasn't clear enough with my previous statement. My
    point wasn't that AppInit_DLLs is safe because nobody should run as
    admin, anyway. Obviously that's a nice fantasy, but of course it's
    only the reality in well-administered networks. The real point was
    that given all of the other ways a person running as Administrator has
    to mess up the security of his machine, AppInit_DLLs is rather trivial.
    If you're the local administrator on a non-networked machine, you have
    the ability to install a device driver that runs at system startup,
    well before even WinLogon runs, and hooks the kernel's implementation
    of the RegXxx functions. And of course, when you have that ability,
    the lowlife cretin who wrote any spyware you may run also has that
    ability. This blows away anything you can do with AppInit_DLLs; at
    least the AppInit_DLLs method can be bypassed and detected by user-level
    code.

    Andrew Aronoff seems to have gotten the point; he mentions a whitelist
    managed by a central authority. However, I believe that down that
    road lies madness: eventually, because some users are too computer-
    illiterate to be trusted to administer their own machines, all of us
    will have to delegate administration authority to Big Brother. There
    is a compromise, of course, and it's one we've already accepted.
    Windows should treat anything loading in AppInit_DLLs as it currently
    treats a device driver or other plugin and have settings that allow
    the user to only run DLLs that are signed by trusted publishers.

    Of course, that just assumes all over again that users are competent
    to administer their own computers. There's just no getting around
    that assumption without taking administrative power entirely out of
    the hands of "unqualified" users.

    If we're going to demonize Microsoft for something, let's not demonize
    them for one of the hundreds of ways a user with administrative privileges
    can destroy his own computer. Let's demonize them for the real problem:
    that so many people are running untrusted code as Administrator without
    having been told about the security implications thereof.

    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"

    Relevant Pages

    • Re: ADO-Zugriff auf Access-DB liefert Fehlermedlung. Aber warum?!?
      ... >> Wann und wo genau bekommst Du diesen Fehler? ... Also 2.8 Nach der Installation kam eine Erfolgreich-Meldung ... Wie unterscheiden sich diese "Typen von Admin" vom wirklichen ... für die nur Administrator entspr. ...
      (microsoft.public.de.vb.datenbank)
    • Re: Alternative to Windows Explorer
      ... One drawback if you use that "runas" approach then you really won't know ... Administrator versus their using their actual account. ... admin, a variation of their normal account. ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • Re: Impact of removing administrative rights in an enterprise running XP
      ... The user probably had to be an administrator to get the virus in the ... You just apply the patch as an admin, ... Regardless, to speak more to the OP, yes, your support model will most ... Impact of removing administrative rights in an enterprise ...
      (Focus-Microsoft)
    • Re: firewall on budget ?
      ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Is non-admin logon worth it?
      ... on as "Administrator" just as some user that is an admin. ... virus, can do pretty much anything with no need to give permission. ... Inexperienced users with full rights to the machine *(even through a UAC ...
      (microsoft.public.windowsxp.security_admin)