Re: More before-the-fact advice for 2K and XP?

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 12/15/04 

Date: Tue, 14 Dec 2004 20:25:10 -0800

Software restriction policies are your friend.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/safer_topnode.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Safer_topnode.asp

Steve Riley
steriley@microsoft.com

"Gordon Fecyk" <gordonf@pan-am.ca> wrote in message
news:eGXxVrl4EHA.1976@TK2MSFTNGP09.phx.gbl...
> I'm consulting for several firms who are using Win2K and XP Pro as limited
> users, which so far is keeping the current crop of viruses and other
> garbage
> off the machines. Hardware firewalls do the rest.
>
> I believe future exploits will be deliberately designed to run as a
> limited
> user. That means a trojan, or virus or what-have-you will work only while
> a
> specific user's logged on to the machine. But it will still run. It
> wouldn't need to take advantage of raw sockets, UPnP or other "supposedly
> dangerous" technologies to do its dirty work.
>
> So the question I ask is, how to prevent unauthorized software from
> running
> even as the limited user? Here are the things I've ruled out so far:
>
> * Signed programs are difficult to maintain. A lot of sites use old apps
> that can work as a limited user, but aren't digitally signed. And nothing
> stops a disreputable company with a code certificate from writing a bad
> program that happens to be signed.
>
> * "Outbound firewalls" are an annoyance to the average user, because they
> warn you about every single little applet that wants network access. That
> includes the Windows Firewall when you enable outbound connection
> monitoring. Besides, it's one more thing that runs in the background
> using
> up CPU time that a useful app can use instead. And they don't stop bad
> programs that use file system APIs instead of network APIs to spread.
>
> * I would love to see "ZIP file type restrictions" in the Compressed
> Folders
> shell extension for Windows XP. Like the attachment restrictions built
> into
> Outlook 2002 and later, I could disallow opening certain file types from
> within ZIP and other archive files. There's no such functionality yet, so
> I've had to block ZIPs as "level 1" and allow "level 2" access only to
> people I've trained in handling ZIP archives safely. This sucks because
> even a trained user can make mistakes.
>
> * I already change the security ACLs for the root of Drive C to read-only
> for limited users, and apply special ACLs to the "RECYCLER" folder so
> limited users can still create and use Recycle Bins. I borrowed the same
> ACL for "Shared Documents" to accomplish this. The only folders that need
> to be on the root of Drive C are "Documents and Settings," "Program
> Files,"
> "Windows," and "RECYCLER." And these folders (except for RECYCLER) have
> default ACLs that are perfect for before-the-fact security. I also create
> a
> separate volume exclusively for the paging file and make that unreadable
> to
> limited users entirely.
>
> Which comes to my latest idea which I have no clue how to implement: Deny
> (or remove) Execute permissions by default to Documents and Settings for
> limited users. I don't know how to implement this because I don't know
> where the default ACL for a user's profile is stored. Whatever it is,
> it's
> normally "Full Control" for the user. There's also the matter of setting
> up
> the same or similar ACL for whatever the user's Home directory is (on an
> Active Directory network) or their Profile directory (also on AD).
>
> Even if there were an ACL template I could change, I'd have to change it
> in
> three places: for the user's local profile, the user's roving profile (if
> any) and the user's home directory (if any).
>
> If this were possible, it would eliminate last remaining problem I can
> figure out: How to keep limited users from running unauthorized programs
> for good. A privilege elevation exploit won't work if it can't run in the
> first place.
>
> --
> PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
> What's a PGP Key? See <http://www.pan-am.ca/free.html>
> GOD BLESS AMER, er, THE INTERNET.
> <http://vmyths.com/rant.cfm?id=401&page=4>
>
>

Relevant Pages

  • More before-the-fact advice for 2K and XP?
    ... ACL for "Shared Documents" to accomplish this. ... "Windows," and "RECYCLER." ... Active Directory network) or their Profile directory. ... any) and the user's home directory. ...
    (microsoft.public.security)
  • Re: Problem retrieving name of logged user...
    ... dim strbase,strFilter,strAttributes,strQuery ... 'Bind to the user and get the Home and Profile Path ... 'Search for the server/computer name that has their profile and home ... 'Check the home directory computer for a session ...
    (microsoft.public.scripting.vbscript)
  • Re: Multiple TS users accessing files in a shared folder
    ... Since you configured neither a profile path nor a home directory ... Of course it is possible to give users access to a shared folder, ...
    (microsoft.public.windows.terminal_services)
  • Re: T.S User Profiles
    ... But if you don't specify a Home directory at all, ... automatically uses the same path as the profile path. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... I have noticed that the folder gets created for all new user ...
    (microsoft.public.windows.terminal_services)
  • Re: Bizarre Roaming Profile Issue
    ... Are you using folder redirection via Group Policy? ... The users are in different deparments and their profile never ... I've gone over DNS, WINS, and DFS with a fine tooth comb. ...
    (microsoft.public.win2000.general)
Quantcast