RE: Active Directory Question
From: Kayne Ian (Softlab) (Ian.Kayne_at_softlab.co.uk)
Date: 01/14/04
- Previous message: opticfiber: "Re: [work] RE: Active Directory Question"
- Maybe in reply to: Simon Taplin: "Active Directory Question"
- Next in thread: marco2: "RE: Active Directory Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Wed, 14 Jan 2004 10:21:01 -0000
> There are some weird apps that monitor the titles of all
> windows on the
> desktop and forcibly close them if they match the list
That's a really bad technique to rely on. 30 seconds and a copy of Ultraedit
(or any hex editor) and you can bypass this.
A better way (for example) would be to write an app that hooks kernel calls
to load a process, then compare a checksum of the process in question to a
"whitelist" of allowed application checksums - if a match is found, the call
is allowed. If not, the call is denied. Bear in mind that you need to
checksum the loaded process, not the exe file on disk otherwise any packer
(UPX etc) would effectively allow a bad app to slip by. That somewhat raises
the skill required to bypass it.
Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company
> -----Original Message-----
> From: Jannie Hanekom [mailto:j_hanekom@hotmail.com]
> Sent: 12 January 2004 15:26
> To: focus-ms@securityfocus.com
> Subject: RE: Active Directory Question
>
>
> Hi Simon
>
> In my experience, persistent users will discover pretty
> quickly that they
> can get around this by simply renaming files. If you still
> want that type
> of protection through GPO's, I'm afraid the only solution is
> to either block
> specific, exact names or to compile a comprehensive list of allowed
> executables and only allow those.
>
> There are some weird apps that monitor the titles of all
> windows on the
> desktop and forcibly close them if they match the list; A
> colleague once
> tested one of these out and it seemed to work fairly
> effectively - it is
> also immune to renamed executables (but not custom-compiled
> executables).
> Only problem was that it was very aggressive: e-mails, IE
> windows, Word
> documents or anything else that contained the target string
> in its title
> were also instantly closed. If however you still feel that
> way inclined,
> try http://www.plevna.f9.co.uk/tindex.htm. Google ads also
> suggest this:
> http://www.reflex-magnetics.com/products/disknetpro/.
>
> On the MS front, SMS 2.0's software metering facility has a
> rather kludgy
> but effective blocking mechanism that blocks/allows
> executables based on the
> executable's binary properties.
>
> The most effective way IMO is to remove the source of these
> types of files:
> disable the removable drives (see previous threads), block
> executables on
> e-mail gateways, etc.
>
> I've been wanting to test out another theory in a large
> environment, but
> haven't had a chance: setting the "Traverse Folder/Execute
> file" ACL flag
> to "Deny" on end-users' temporary and home directories appears to stop
> arbitrary web downloads and e-mail attachments from
> executing. This might
> also prove quite effective against many e-mail worms, and is what *nix
> protagonists have been telling us for years... If you want a file to
> execute, you should have to explicitly make it executable.
> (Note that this
> only works for binary executables; script files still run normally.)
>
> Hope that helps.
>
> Jannie
********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.
Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.
If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.
********************************************************************
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: opticfiber: "Re: [work] RE: Active Directory Question"
- Maybe in reply to: Simon Taplin: "Active Directory Question"
- Next in thread: marco2: "RE: Active Directory Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
