[Dshield] Admin rights on XP Home (was Re: WMF "wait for us")

Stephane Grobety security at admin.fulgan.com
Mon Jan 9 07:54:25 GMT 2006


Hello Tom,

Ah... what do you mean ??

There whatever "global protection space" is, I doubt that it relates
to anything that exists under windows (or any OS that includes the
notion of security). Each process is owned by a user and each process
spawned by another process inherits the same owner as it's parent
(unless told otherwise by the parent). The root process is "SYSTEM"
which has all local right and limited network rights. It's responsible
to spawn the winlogon.exe instances wich handles the user logon.
Winlogon then allow the user to authenticate himself and create a new
window station and desktop for him. That new station is owned by the
logged on user and all process spawned in it are running under the
creditentials of that user. So, in order to run with the SYSTEM
user, a process has to find a way to get launched in a different way:
it can install itself as a service requesting SYSTEM ownership, it can
request a service running under that security principal to start it
(which is an old trick with the AT scheduler), etc. So as you can see,
it's not as simple as you think.

The problem is that some objects are protected by ACLs that exclude
non-administrators. Common culprits are CD protection software
frequently included in CD games. In order to work, they must open the
CD/DVD drive in raw mode an that in an operation limited to
administrators. That's just an example, of course, there is many
things that could lead a program to require administrator access (if
only during installation).

Another problem is that supporting a home user can be a really
tedious and having him run under an administrator account is tempting:
it drastically reduces the number of time the user will require
assistance.

And I'm afraid that the above reasons combined means that home users
running as administrators have still a long time to go...

Good luck,
Stephane

Sunday, January 8, 2006, 1:37:47 AM, you wrote:

T> Ed,

T> I am not windows savvy but I would venture that apps must live in 
T> "global" permissions space rather than in a user's security jail 
T> under windows.  Just another bad security situation in my mind.

T> Tom

T> At 11:15 AM -0500 1/7/06, Ed Truitt wrote:
>>One reason many XP Home accounts are 'administrator' (which is NOT 
>>the default) is that many home-user programs (including some from 
>>Microsoft) require administrator level privilege to run.  Games are 
>>common offenders in this regard.
>>
>>-EdTr.
>>Cheers,
>>-E D Truitt
>>
>>Sent via my BlackBerry from Cingular Wireless
>>_________________________________________
>>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>>https://www.sans.org/athome/details.php?id=1341&d=1
>>
>>_______________________________________________
>>send all posts to list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list





-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list