Re: Priviledge escalation attack

From: Mike Coppins (mike@legolas.com)
Date: 10/28/02


Date: Mon, 28 Oct 2002 17:16:26 +0000
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

At 28/10/2002 15:07, Eric Howard wrote:

>This is probably not news for many, but I thought I would throw it out for
>discussion. Microsoft, in my opinion, has committed a grave mistake in
>the NTFS permission scheme for the WINNT directory. ANY user may create
>file in this directory, even AFTER the C2 security rollups are applied.

Yep, this isn't the wisest set of permissions on that directory structure
(I know that there are a number of subdirectories with tightened permissions).

The permissions:

Administrators: Full
Everyone: Read/Execute
System: Full

give a reasonably better level of security, while giving practical use of
the system for users locally logging in (it would also work for a basic
webserver config, but more ACL tightening is STRONGLY recommended),
although there are directories such as Temp which should be more relaxed
(say Everyone: Full), and some directories which should be tightened
further, such as system32\dllcache and winnt\servicepackfiles (don't allow
these dirs to inherit privs from parent, remove Everyone group).

NB for anyone thinking about trying this out:
This is a fairly basic tightening of security, should be tested heavily
before use, etc, etc. Don't blame me if you rolled it out on a live system
and your life is now falling apart around you. That would be your own
stupid fault for not testing it properly :)

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
http://www.copsys.co.uk/