Re: Debug privileges

That is more relevant to the topic.

The problem is that if the process that is executed in the workstations can
call the server then the workstation process can get access to the
application in the server. If a process executing in the workstation can use
something such as a hook to get into the protected application then it can
have essentially full access.

So is it necessary for the protected application to ensure that workstations
don't have arbitrary access to the application executing in the
workstations? Is that the only way to protect client/server applications? I
don't mean to imply that that is all that needs to be done, I am saying that
it is one of many things that must be done.

The particular third-party application I am working with does not do that.
We would like to strengthen it's security but it seems impossible for us to
do that; they must, right?



"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:ezVBrYRaHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
If all of the business logic and things you are afraid of being
compromised are maintained on the server, these API calls don't matter.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Samuel Ray wrote:
Also, most (maybe all) of the functions that are of most concern are not
client/server requiremets. For example ReadProcessMemory,
WriteProcessMemory and other debugging functions. Also SetWindowsHookEx.


"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:OlHj1FCZHHA.4396@xxxxxxxxxxxxxxxxxxxxxxx
That is part of the draw of client server software... The client
shouldn't have any rights on the server that they shouldn't normally
have and any critical logic or IP is all handled on the server. Anything
done on the local client is open to compromise. If you have a machine in
your possession, you own the machine.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Samuel Ray wrote:
Thank you, Jos. That sounds logical and reasonable.

Except if the person starting a process is an employee and the actual
owner is the employer, and situations such as that. That seems to be a
big opportunity for the employee and others, but I assume that is what
security specialists are needed for. If an employee executes a
companie's accounting program and if the employee is the owner of the
process then they can steal from the company. So I assume that all good
accounting software does not execute under the typical employee's
account.

I am being very simple here but I am a developer. If the description I
have above is accurate, then understanding this will help me to know
what to learn and it will help me guide (hopefully not too blindly)
other developers.


"Jos Scherders" <thrower@xxxxxxx> wrote in message
news:%23WK5lW3YHHA.992@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

If you start the process you by definition have all the required
privileges to debug. Just have a look all the ACL's attached to the
process and match them with owner of the process.

Debug privilege basicly allows you open a process even if that process
is owned by someone else. If you are the owner you dont need the debug
privilege.

Jos

"Samuel Ray" <samuel@xxxxxxxxxxxxxxxxxxxx change_roadrunner_to_rr>
wrote in message news:uQKBYn2YHHA.4872@xxxxxxxxxxxxxxxxxxxxxxx
Is it true that any process started by an account can use debugging
calls for all other processes started by that account and there is no
way to disable that? I am very surprised that that is true yet that
is what people say.

Of course people also say that debugging calls require debugging
privileges but WriteProcessMemory does not say that; it says the
"handle must have PROCESS_VM_WRITE and PROCESS_VM_OPERATION access".

I am sorry for asking such a basic question, but I don't know where
to look to get the answer and it seems that many people are confused.



.

Relevant Pages

  • Re: Networks....
    ... > You are using a server to serve the workstations, ... > workstations by logging on to their user account. ... >>Each office employee has their own workstation. ...
    (microsoft.public.windowsxp.general)
  • Networks....
    ... You are using a server to serve the workstations, ... workstations by logging on to their user account. ... >Each office employee has their own workstation. ...
    (microsoft.public.windowsxp.general)
  • Networks....
    ... You are using a server to serve the workstations, ... workstations by logging on to their user account. ... >Each office employee has their own workstation. ...
    (microsoft.public.windowsxp.general)
  • Re: SBS 2003 Misconfigured?
    ... up one of the workstations via remote web connection, ... but why are you looking at the server rather than the workstation? ... (this will show you the DHCP lease info). ... The Netgear, or whatever you use as your gateway to get out to the Internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... When I remote back into the server and look at DHCP, ... I assume DHCP assigned it, but how can I verify that. ... the workstations, I was having connection problems with the workstations. ... The netgear has a setting for the Internet IP which is set to the ...
    (microsoft.public.windows.server.sbs)