Re: restrict software installation

From: Kurt Seifried (bugtraq@seifried.org)
Date: 05/28/02

• Previous message: Jim Harrison (SPG): "RE: Wingate Replacement"
• In reply to:(deleted message) Jens Benecke: "Re: restrict software installation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Kurt Seifried" <bugtraq@seifried.org>
To: "Jens Benecke" <mail-020527@jensbenecke.de>, <Gu1tarb0y@aol.com>
Date: Tue, 28 May 2002 13:49:30 -0600

>I would do something like 'mount -o noexec /home', same for /tmp, as
>these are usually the only partitions my users have write access to.
>Preventing users from executing stuff on their home directory and in
>/tmp will effectively prevent them from running their own programs.
>Scripts are excluded of course (as long as the script interpreter lies
>somewhere else).

>Is there some similar principle in Windows? Can you restrict people to
>their home directory only, at all? I seem to remember that e.g. MS
>Office wants write access all over the place, which makes life hard for
>a secure multi-user environment.

No. Windows does not support mounting options ala Linux (i.e. nodev,
nosuid). Now you could install a no executable security acl and have it
filter down to all files, but users would still be able to modify the
permissions back. You can prevent users from running stuff, using group
policies, however make sure you specify the entire path, otherwise they can
rename doom.exe to notepad.exe and play it. There are also third party
software packages such as SecureEXE which check the SHA1 signature on a file
before executing it, and you can control more then .exe with them (.dll,
.scr, java, activex, etc.).

What some companies have done is setup the local workstations as terminals
essentially, installing windows and heavily securing it, and making the hd
pretty much innacesible to the user, for which of course you are supposed to
use te central file server to store all your working files/etc, this also
makes software installation more difficult, if the program can live a happy
self contained life in Z:\foo, great, if not then it won't run very easily.

Of course this ignores the issue of Java/ActiveX code, you will generally
need third party apps to restrict access to these effectively.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/

---

• Previous message: Jim Harrison (SPG): "RE: Wingate Replacement"
• In reply to:(deleted message) Jens Benecke: "Re: restrict software installation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Fedora 4: How to upgrade Firefox? ... "Life's too short for Linux - revert back to Windows!" ... your home directory. ... New Firefox. ... can have your own /hom/$USER/bin directory and install whatever you want ... (comp.os.linux.misc) Re: Windows 2000 Installation. Need service pack 2 CD ... installing by executing; ... To do a clean install, either boot the Windows 2000 install CD-Rom or setup ... (microsoft.public.win2000.general) Re: How to initiate a Windows scan for new drivers? ... which are by far more complex then just executing a couple of INFs. ... The only way to install nVidia's or ATI's video drivers properly is to ... Maxim Shatskih, Windows DDK MVP ... (microsoft.public.development.device.drivers) [Full-disclosure] Acunetix WVS 5 improper file path handling (EoP) ... Acunetix WVS 5 improper file path handling ... Tested on: Microsoft Windows 2000 SP4 ... This attack is commonly referred to as the ... executing user but could also be launched with elevated ... (Full-Disclosure) Re: DOS command ... What you think is executing the program ... Real Dos Prompt not for Window's Command Prompt. ... another to run within from Windows as you run other programs. ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)