Re: Preventing WinLogon entry points being called by external programs
- From: "Anthony Wieser" <me@xxxxxxxxxxxxxxxx>
- Date: Wed, 11 Jan 2006 19:11:38 -0000
If the program is in a folder that can only be written by an admin, isn't
that sufficient?
Anthony Wieser
Wieser Software Ltd
"Skywing" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OnEmP4tFGHA.1032@xxxxxxxxxxxxxxxxxxxxxxx
> BTW, you should consider the possibility that a malicious user might patch
> some instructions in your notification package to disable any checks you
> might have that you are running under winlogon. You should be sure that
> you aren't designing your program such that this will allow a user to
> compromise the system.
>
> "Anthony Wieser" <me@xxxxxxxxxxxxxxxx> wrote in message
> news:43c54e8c$0$1480$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> So, run without impersonation, and then use ImpersonateLoggedOnUser when
>> the validation succeeds.
>>
>> The trouble is, I now can't figure out how to get the token of the logged
>> on user from my Winlogon package, because I'd like to perform the actions
>> in the security context of the logged on user too.
>>
>> Anthony Wieser
>> Wieser Software Ltd
>>
>>
>> "Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
>> news:OXluNisFGHA.216@xxxxxxxxxxxxxxxxxxxxxxx
>>> check the processes access token for local system account. It will
>>> either mean it is the regular winlogon or any other application running
>>> under the local system account. But when an application is running under
>>> local system, you cannot be secure against it anyway. So this check
>>> should be sufficient.
>>>
>>>
>>> O.
>>>
>>>
>>> "Anthony Wieser" <me@xxxxxxxxxxxxxxxx> wrote in message
>>> news:43bea03b$0$1461$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello,
>>>>
>>>> I'm developing a Winlogon notification package, and need to prevent my
>>>> entry points from doing anything, unless they've been called by the
>>>> Winlogon itself, instead of another program like rundll32.exe or some
>>>> such.
>>>>
>>>> What test can I perform to verify that it is a legitimate caller
>>>> (winlogon.exe I assume) that has not been tampered with or renamed?
>>>>
>>>> Anthony Wieser
>>>> Wieser Software Ltd
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- References:
- Preventing WinLogon entry points being called by external programs
- From: Anthony Wieser
- Re: Preventing WinLogon entry points being called by external programs
- From: Ondrej Sevecek
- Re: Preventing WinLogon entry points being called by external programs
- From: Anthony Wieser
- Re: Preventing WinLogon entry points being called by external programs
- From: Skywing
- Preventing WinLogon entry points being called by external programs
- Prev by Date: SSPI for machine identity
- Next by Date: Re: Preventing WinLogon entry points being called by external programs
- Previous by thread: Re: Preventing WinLogon entry points being called by external programs
- Next by thread: Re: Preventing WinLogon entry points being called by external programs
- Index(es):
Relevant Pages
|
