Re: Restricting Certain Binaries - Steve?

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/07/04

• Next message: Steven Umbach: "Re: MS Update - Admin Only"
• Previous message: Ang: "Unknown File in System32"
• In reply to: John: "Restricting Certain Binaries - Steve?"
• Next in thread: John: "Re: Restricting Certain Binaries - Steve?"
• Reply: John: "Re: Restricting Certain Binaries - Steve?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 07 Feb 2004 22:17:23 GMT

Hi John.

I have never implemented that technique [nor have I configured a dmz bastion
host"] though I have read about it in a couple books including the Oreilly book
on building a bastion host. It may be a bit overkill for most situations [where
you are not offering services to internet users], but another layer of security
is always a good thing if you maintain an acceptable level of functionality for
your purpose. Of course it makes sense to take all other precautions first to
avoid hackers/worms including a properly configured firewall, critical patch
management, antivirus software, complex passwords, account lockout policy,
ntfs/share permissions, eliminating unnecessary services, etc. For instance if
you are not offering shares on your computer and do not need to manage it
remotely via Computer Management it makes sense to uninstall file and print
sharing. If you do need file and print sharing, you can remove the
administrators group from the "access this computer from the network" user right
assignment which would make it much more difficult for hackers if your firewall
becomes micsonfigured.

I notice that the IISlockdown tool for computers running IIS adds the
iusr_machinename account to may \system32 binaries with a deny permission to
protect the computer from hackers. I read one book by Phil Cox, and the info is
in a link below though, where he recommends removing system and administrators
from those files and adding a group instead that membership can be controlled
with select user accounts in the local administrators group. Keep in mind that
applying a service pack, etc may overwrite those files with versions that have
default permissions and of course trying to remove them may be futile as Windows
File Protection will replace many.

http://www.systemexperts.com/tutors/HardenW2K101.pdf

Yes I definitely think you are taking look at good ways to secure your computer
and it can be an interesting and fun process. The biggest threat for most users
continues to be through email attachments which I bet you are real careful
about. I don't know exactly how an attacker or worm gets system control. But I
do know that is why keeping critical updates is so important to prevent
know/newly discovered vulnerabilities to the operating system from being
exploited to do such. I read the term "buffer overflow" a lot when I hear about
how an operating system is severely compromised, see an example in the link
below. --- Steve

http://www.cert.org/advisories/CA-2003-09.html

"John" <John@somewhere.com> wrote in message
news:MPG.1a8d8f79a4a4a2d9989681@news.telusplanet.net...
> Steve, can you please comment on this?
>
> http://www.uksecurityonline.com/husdg/windows2000/binaries.htm
>
> I changed the permissions on all these executables from
>
> Administrators : full control
> System : full control
>
> to
>
> Administrators: full control
>
>
> I did this after reading that many of these viruses are able to obtain
> system privelege somehow. I have eliminated remote logons for everyone,
> and used passprop.exe to do the same for administrator.
>
> Since I log onto this machine using a normal "user" account I cannot
> execute any of these binaries from my desktop. If a virus executes
> while I am logged on under my "user authority" I think the virus won't
> be able to execute any of them either, neither will it be able to
> execute them even if it somehow gets "system" authority.
>
> Is this a step in the right direction? How is a virus able to obtain
> system authority anyway?
>
> Thank you.
>
> John

• Next message: Steven Umbach: "Re: MS Update - Admin Only"
• Previous message: Ang: "Unknown File in System32"
• In reply to: John: "Restricting Certain Binaries - Steve?"
• Next in thread: John: "Re: Restricting Certain Binaries - Steve?"
• Reply: John: "Re: Restricting Certain Binaries - Steve?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Issue with SecurityPermission ... The following sample shows how to create a user control which can be ... downloaded and executed with specific permissions. ... > The default security policy for assemblies downloaded from an intranet-based> URI is different than that of the local system. ... >> This results in no one being able to execute the application from that ... (microsoft.public.dotnet.security) Re: Install Office XP SP 3 - fullfile download asks for CDROM ... The problem was circumvented when I added FULL CONTROL permission for ... Administrators local group to the registry key ... > I did look at the permissions for the empty key OptionalComponents, ... (microsoft.public.officeupdate) Re: Install Office XP SP 3 - fullfile download asks for CDROM ... The problem was circumvented when I added FULL CONTROL permission for ... Administrators local group to the registry key ... > I did look at the permissions for the empty key OptionalComponents, ... (microsoft.public.officeupdate) RE: ERROR?: Service Control Manager 3221229584 ... This may be due to permissions on the DTC files. ... Administrators - Full Control ... Authenticated Users - Read & Execute, ... (microsoft.public.windows.server.sbs) RE: RIS/RIPREP Image problem with Dell Poweredge 2950 - W2k3 SP2 ... Administrators = Full Control ... After the permissions are reset, ... Microsoft Global Technical Support Center ... (microsoft.public.windows.server.setup)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint