RE: Question regarding su.exe

• Previous message: Kallio, Steve J.: "RE: Windows 2000 Patch Order"
• In reply to: Grabowski, David: "RE: Question regarding su.exe"
• Next in thread: Laura A. Robinson: "RE: Question regarding su.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Grabowski, David'" <david.grabowski@us.mizuho-sc.com>, <focus-ms@securityfocus.com>
Date: Thu, 12 Jun 2003 11:49:36 -0700

David makes a good point. Many so called "administrator" applications do
not actually require administrative privileges for more than a few
resources. Adding your user to those resources may alleviate the problem
altogether.
        However, there are certain instances where admin rights are required
/ preferable. For instance, loading a driver should require admin rights,
and certain user and permissions management functions should also require
them.

Now, on to your other question. If you use su.exe to elevate the privilege
of a process into the administrator run space, that process has all the
rights that a logged in administrator would have. If this process is
attacked and compromised, it will grant full administrator rights. The only
solution to this is to use NT's various SE privileges, users/groups, and
permissions to limit the application to a running space that offers as
little privilege as possible. However, one thing to take into
consideration, if your application requires a powerful right to operate, and
you grant this right to it (for instance, load drivers), it may be able to
parlay a single system privilege into full access with little to no trouble.

Often, a vendor will require admin rights rather than going through the
arduous process of creating and testing a minimum privilege account that
still holds the keys to your system.

What it comes down to is that you must trust any vendor that makes code that
runs on your system, as much, if not more, than your operating system
vendor.

Ryan Permeh
eEye Digital Security

-----Original Message-----
From: Grabowski, David [mailto:david.grabowski@us.mizuho-sc.com]
Sent: Thursday, June 12, 2003 9:12 AM
To: focus-ms@securityfocus.com
Subject: RE: Question regarding su.exe

> -----Original Message-----
> From: Ben Collins [mailto:BenCollins@gateshead.gov.uk]
> Sent: Thursday, June 12, 2003 6:23 AM
> To: 'focus-ms@securityfocus.com'
> Subject: Question regarding su.exe
>
>
> Hello,
>
> We have an external software supplier who has recently updated their
> product. Unfortunately the only way the application will now
> work correctly
> is if the user has Administrative rights. As an organisation we are
> reluctant to give these rights to our users. The suppliers
> have suggested
> that we use su.exe.

Rather than using su or giving admin access, have you looked at what the app
actually *does* to see why it needs admin access? I've run into *numerous*
vendors who claim that their apps need admin access, but they can't answer
the question WHY. And more often that not, with a little work you can find
out that the app doesn't really need it.

FileMon and RegMon (www.sysinternals.com) can be used to look to see what
files and registry keys the app tries to use. If you run the app as a
regular user, you will most likely see "Access denied" errors as the app
runs. You can give users access to those specific resources (i.e., tries a
write to the registry in HKLM\Software\YourApp) without giving them admin
access and without any su tricks.

-Dave
############################################################################
#########
CONFIDENTIAL: This e-mail, including its contents and attachments, if any,
are confidential. It is neither an offer to buy or sell, nor a solicitation
of an offer to buy or sell, any securities or any related financial
instruments mentioned in it. If you are not the named recipient please
notify the sender and immediately delete it. You may not disseminate,
distribute, or forward this e-mail message or disclose its contents to
anybody else. Unless otherwise indicated, copyright and any other
intellectual property rights in its contents are the sole property of Mizuho
Securities USA Inc.
     E-mail transmission cannot be guaranteed to be secure or error-free.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version.
     Although we routinely screen for viruses, addressees should check this
e-mail and any attachments for viruses. We make no representation or
warranty as to the absence of viruses in this e-mail or any attachments.
Please note that to ensure regulatory compliance and for the protection of
our customers and business, we may monitor and read e-mails sent to and from
our server(s).
############################################################################
#########

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------

--
-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: Kallio, Steve J.: "RE: Windows 2000 Patch Order"
• In reply to: Grabowski, David: "RE: Question regarding su.exe"
• Next in thread: Laura A. Robinson: "RE: Question regarding su.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]