Re: How good is Comodo Internet Security?



VanguardLH <V@xxxxxxxxx> wrote:
Ansgar -59cobalt- Wiechers wrote:
VanguardLH <V@xxxxxxxxx> wrote:
A process can be made to run under a LUA (limited user account) token.
That is, the process will have the same privileges as that token. Since
the token has the limitation of a standard user account, that process
is also limited. But that only applies when you run that process under
the limited environment. When using DropMyRights, SysInternals'
psexec, or other such utilities that run the child process under
limited privileges, only the process they start is limited. So if you
use them to start the web browser, that instance of the web browser is
limited and you get more protection.

Since Microsoft has documented that the *desktop* not the process is the
security boundary with Windows, that's most definitely *not* what you
want to do. Instead you want to create an LUA, do your everyday work
with that account, and only switch to an admin account to do
administrative work.

Huh? Just where did I ever mention the desktop process (the first
instance of explorer.exe) being the parent of all processes?

You didn't. And I never said you did. You missed my point.

It can be. It might not. I said these utilities only limited the
child process it starts and why they are NOT complete solutions if and
only if you demand that all instances of a particular process be
limited. The part you snipped out was were I mentioned that other
solutions take care of limiting ALL instances of that program no
matter how it was started. Some folks like it always protected (but
might also want some means of temporarily disabling the protection) so
the method of using a utility for those instances you want to protect
is what they want. They don't want to use a limited Windows account.
Some want all instances protected for only some programs but not all
of them so the 3rd party utilities, like GeSWall, DefenseWall,
Bufferzone, Sandboxie, SafeSpace, etc., let them default to limiting
those processes but they still have an "out" when limiting the process
makes it unusable.

Please provide a references to that Microsoft documentation.

http://support.microsoft.com/default.aspx?scid=kb;en-us;327618

The article refers to system services, but of course the very same
applies to all interactive processes (read: processes with windows
attached to them) running with elevated privileges.

The "desktop" is just explorer.exe handling it.

Ummm... yes, I am well aware that explorer.exe manages the desktop. I'm
also aware of how the default shell can be changed. However, that
doesn't change a single thing about how the window messaging system
works.

You could, if you wanted to and found one that was usable, replace
that desktop program with some 3rd party program. Securing the
boundary of a process is how you secure it.

Unfortunately it's not that easy, since the Windows GUI adds another
method for IPC (sending messages between windows) that does not have any
security system at all (or, judging from the blog article you mentioned
below, did not have one before Vista). That leaves it up to each single
programmer to handle incoming messages, and Visual Studio's default is,
of course, to use the default handlers provided by Microsoft.

Apparently Vista introduced some kind of privilege separation there, so
Vista may be fine (assuming that this system is working in the first
place). However, if the OP uses XP or earlier (not sure if he does,
AFAICS he didn't mention his OS) that simply won't work.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.



Relevant Pages

  • Re: Hackers target Microsoft Windows XP support system
    ... The bug affects well-established Windows XP operating system. ... Either logon under a limited account when web surfing ... privileges are reduced on the web browser will severely curtails the ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: GINA logon w/ Logon Message Error
    ... I named the new account AdminTest and gave it Administrator ... another account with different name say like Nass with admin privileges ... I have two windows that pop up.... ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: How good is Comodo Internet Security?
    ... the process will have the same privileges as that token. ... the token has the limitation of a standard user account, ... use them to start the web browser, that instance of the web browser is ... limited and you get more protection. ...
    (comp.security.firewalls)
  • Re: Is it unsafe using Windows XP without password?
    ... Malware can find out account names but it ... A password would give you a little more protection. ... MS-MVP Windows - Shell/User ... set a password for my account (not Administrator but belongs to ...
    (microsoft.public.windowsxp.general)
  • Beginners error: import function of Windows Mail executes rogue program C:Program.exe with credentia
    ... the import function of Windows Mail executes a rogue program C:\Program.exe ... Start Windows Mail ... Enter account name and password of any Windows account ... it needs administrative privileges to write C:\Program.exe. ...
    (Bugtraq)