Re: Priviledge escalation attack

From: Mike Coppins (mike@legolas.com)
Date: 10/28/02


Date: Mon, 28 Oct 2002 17:16:26 +0000
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

At 28/10/2002 15:07, Eric Howard wrote:

>This is probably not news for many, but I thought I would throw it out for
>discussion. Microsoft, in my opinion, has committed a grave mistake in
>the NTFS permission scheme for the WINNT directory. ANY user may create
>file in this directory, even AFTER the C2 security rollups are applied.

Yep, this isn't the wisest set of permissions on that directory structure
(I know that there are a number of subdirectories with tightened permissions).

The permissions:

Administrators: Full
Everyone: Read/Execute
System: Full

give a reasonably better level of security, while giving practical use of
the system for users locally logging in (it would also work for a basic
webserver config, but more ACL tightening is STRONGLY recommended),
although there are directories such as Temp which should be more relaxed
(say Everyone: Full), and some directories which should be tightened
further, such as system32\dllcache and winnt\servicepackfiles (don't allow
these dirs to inherit privs from parent, remove Everyone group).

NB for anyone thinking about trying this out:
This is a fairly basic tightening of security, should be tested heavily
before use, etc, etc. Don't blame me if you rolled it out on a live system
and your life is now falling apart around you. That would be your own
stupid fault for not testing it properly :)

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
http://www.copsys.co.uk/



Relevant Pages

  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Password Protect IExplore
    ... You can protect the files and folders you store on your computer to make ... To set, view, change, or remove special permissions for files and folders ... clear the Inherit from parent the permission entries that apply ... To configure security so that the subfolders and files will not ...
    (microsoft.public.internet.explorer.ieak)
  • Re: Removing the Internet Security in SP2
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Any way to remove ADMIN$ only?
    ... partition to allow you to set local permissions. ... Network Security Specialist ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
    (Focus-Microsoft)