More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS
From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 01/20/05
- Next message: IceNine: "Re: Security Help"
- Previous message: Andrew Sword [MVP]: "RE: Security Help"
- Next in thread: Karl Levinson, mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Karl Levinson, mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Stefan Kanthak: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Gordon Fecyk: "[Updates] Re: More Before-The-Fact-Isms II"
- Reply: Gordon Fecyk: "How About a Hardended Win2K Image to Bash?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Jan 2005 19:03:38 -0600
Thanks to Roger Abel for finding a bug in xcacls.vbs and a workaround to
this default permissions problem.
OK, so now it's possible to restrict access to executables through the NTFS
file system completely, at least in theory. I'd like to know how many holes
this little net has.
We have a default installation of 2K Pro or XP Pro, with these folders (some
hidden) on the %systemdrive% (usually C):
\Documents and Settings
\Program Files
\RECYCLER
\WINDOWS or \WINNT (%systemroot%)
The root of %systemdrive% normally has "Everyone - Full Control". I usually
change it to this ACL:
BUILTIN\Administrators Full Control
NT AUTHORITY\SYSTEM Full Control
BUILTIN\Users Read
BUILTIN\Users List Folder Contents
I don't bother with the Power Users group since it doesn't exist on XP Home,
and the point is to restrict executable access.
The default ACLs for Documents and Settings, Program Files and %systemroot%
are fine.
I have to create \RECYCLER by playing with the Recycle Bin, but I then copy
the ACL for \Documents and Settings\All Users\Documents (aka: "Shared
Documents"). If I have any 16-bit apps I also have to do this to
%systemroot%\temp. This way, users can still use the Recycle Bin but they
can't run programs in \RECYCLER.
The resulting ACL for \RECYCLER, %systemroot%\temp and \Documents and
Settings\All Users\Documents looks like this:
BUILTIN\Administrators Full Control
NT AUTHORITY\SYSTEM Full Control
BUILTIN\CREATOR OWNER Full Control for Subfolders Only
BUILTIN\CREATOR OWNER Special (Full Control except Execute) for Files
Only
BUILTIN\Users Read
BUILTIN\Users List Folder Contents
BUILTIN\Users Special (Create Files / Write Data,
Create Folders / Append Data,
Write Attributes,
Write Extended Attributes,
Read Permissions) for This Folder and
Subfolders
Essentially, users can create and manipulate their own files and folders in
these places, but still can't launch any executables.
Then I have a script launch on logon - either a domain logon script run
synchronously or one set through local policy - that executes this:
xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC C /P
"%userdomain%\%username%":F
xcacls.vbs "%userprofile%" /T /E /Q /L /G
"%userdomain%\%username%":12345789ABCD
(assming cscript.exe is the default scripting host, and xcacls.vbs is
available in the %path%)
I can repeat those lines with "%homedrive%\%homefolder%" or "%homeshare%" in
a domain.
Normally %temp% is set to %userprofile%\Local Settings\temp, so it ends up
with the same restrictions. 16-bit apps have a different %temp% for some
reason, pointing to %systemroot%\temp. As long as temp filenames don't
clash (and 16-bit apps clean up after themselves) there shouldn't be a
problem with two user accounts on one machine.
(Is there a way to force %userprofile%\local settings\temp for 16-bit apps?
I mean, it comes up as short filenames anyway!
"C:\DOCUME~1\USERNA~1\LOCALS~1\TEMP")
Seems pretty crazy, but this only needs to be done once and written to a
disk image (Ghost or similar). I also usually have a separate 2 GB
partition for the pagefile with no access at all for BUILTIN\Users, but
that's a performance decision.
Once done, I have full control (heh) of what BUILTIN\Users are allowed to
execute. And this ends up being anything installed in %systemroot% or in
\Program Files. Programs Designed for Windows XP and Win2K seem to work
without any hiccups in this locked down setup, and individual app folders or
Registry keys can have different ACLs if needed (ie: Cardscan, MS Photo
Editor, etc).
The end results for Limited Users:
EXE files are disallowed
BAT/CMD files are disallowed if launched from Explorer but not if launched
from a Command Prompt
COM files are disallowed
LNK (Shortcut) files are allowed if they really are shortcuts - EXEs posing
as LNKs are disallowed
URL (Internet Shortcut) files are allowed - EXEs posing as URLs just don't
work
PIF (MS-DOS Settings) files are allowed if really a PIF pointing to an
allowed EXE - EXEs posing as PIFs are disallowed
SCR (screen saver) files are disallowed
VBS files are still allowed if really VBS
Other file types defined in %PATHEXT% (including .PL if you have a Perl
interpreter) are still allowed
Java applets (with Sun JVM 1.5) are still allowed
.NET applets not yet tested - where are some I can try?
I haven't tested something like RUNDLL32 evildll.dll yet, but my
understanding is DLLs are subject to the Execute permission.
At first glance, VBS scripts are the worst enemy at this point. The Windows
Scripting Host doesn't check filesystem ACLs for Execute permissions before
launching a script. I wish it did. Also, the Command Prompt (CMD.EXE)
ignores filesystem ACLs when launching batch files.
Any other potential holes here? I imagine this wold take the steam out of
executable e-mail attachments, executables in ZIPs, executables delivered as
a payload in some IE exploit, etc. Couple this with the "NX" capability in
newer processors (to avoid buffer overflow and stack smash exploits) and
this oughta be a pretty safe setup.
-- PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc> What's a PGP Key? See <http://www.pan-am.ca/free.html> GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
- Next message: IceNine: "Re: Security Help"
- Previous message: Andrew Sword [MVP]: "RE: Security Help"
- Next in thread: Karl Levinson, mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Karl Levinson, mvp: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Stefan Kanthak: "Re: More Before-The-Fact-Isms II, blocking viruses and spyware through NTFS"
- Reply: Gordon Fecyk: "[Updates] Re: More Before-The-Fact-Isms II"
- Reply: Gordon Fecyk: "How About a Hardended Win2K Image to Bash?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
