Re: Help hardening interactive processes in Windows

• Previous message: Nathaniel Hall: "RE: breakout of citrix"
• In reply to: Okiwaso: "Help hardening interactive processes in Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Thu, 21 Oct 2004 14:33:17 -0400

Hi Oki.

<snip>
> Could you please give me some examples of how to harden Interactive
> processes, to keep them from running under a higher level accounts ?
</snip>

I'm not completely sure what you mean by "running under a higher level
accounts [sic]", but I THINK you mean the concept of resitricting a process
so that if it is compromised, an attacker will have few privelages on the
system to do more damage.

This is a concept that the Unix world has had for quite some time now in the
form of a system call known as "chroot" (a "system call" is a way that you
can signal to your kernel to execute a particular "function" or "block" of
code/instructions). The recent BSD's have taken this idea further with their
concept of a "jail". The idea is simply to "trap" a running process inside of
this cage/jail, so that any attacker that exploits the process is also
limited to the confines of this cage/jail.

Unfortunately, the Windows world has no concpet of this, and therefore, no
implementation. The Windows kernel has no means to restrict a running process
inside of a "sub" environment. I'm certainly not a Windows authority, but I
think your best bet would be to investigate the "runas" command (you might
have to install the windows resource kit, I can't remember). Depending on
what you are trying to execute, you might be able, at the very least, to use
"runas" to run the process as a non-admin user, and restrict that users
rights using NTFS permissions and the Windows Security Policies. It's not
quite as elegant as a chroot() or jail(), but it's better than nothing!

I would be interested in how successfully this works if you experiment with
this. Please share!
 

-- 
Miles Stevenson
miles@mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

• application/pgp-signature attachment: stored

• Previous message: Nathaniel Hall: "RE: breakout of citrix"
• In reply to: Okiwaso: "Help hardening interactive processes in Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Permissions to Print Spooler service ... > non-admin user and I want him to be able to cycle the local Print Spooler ... Grant Users Rights to Manage Services in Windows 2000 ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ... (microsoft.public.windowsxp.general) Re: SharePoint Security ... I think windows would still lock out the password after the given number of ... > I notice that a non-admin user can access ... > prompt for password and just display a 401) ... (microsoft.public.sharepoint.portalserver) Re: How to get Code Segment Base Address in PM ... > asm I cannot get the segment base address (what in real mode would be ... I can get that address from the higher level language and pass ... On Windows, *nix, etc. ... (comp.lang.asm.x86) Re: Roguelikes not for newbies? ... a little similar syntax to what C++ use (as does Java), ... a totally different programming language. ... And much higher level too. ... of the windows-only api, which lock you to windows platform. ... (rec.games.roguelike.development) Running USMT Loadstate as non-admin ... loadstate as a non-admin user on a Windows XP machine. ... beta of USMT. ... (microsoft.public.windowsxp.setup_deployment)