Bugtraq mailing list archives
SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature
From: jdglaser () NTOBJECTIVES COM (jdglaser)
Date: Wed, 26 Jan 2000 07:14:03 -0800
To anyone who wants to better understand true SAS behavior in Windows NT- Just today, amazingly enough, a very good article arrived from Paula Tomlinson in the Feb. issue of Windows Developer's Journal. In her columns, Understanding NT, she describes the SAS execution flow and fully reviews the details w/ code and API calls of how to replace the Gina AND how to trap and create the logon box. (Which the below listed NT security books say can't happen) Compare the following quotes "you can provide custom code that participates in the logon process AND that controls the user interface for Logging on" - Paula Tomlinson WDJ "(In order to prevent password capture) "This key sequence cannot be duplicated by an application programs" NT Security Handbook by Hadfield While LeBlanc is correct that the Gina is "protected", there is no documentation which widely advises not surfing the web under the Administrator account (I know that NO one here does that anyway:) ) in order to prevent an overflow in your browser(an app running with sufficient privs) to do the damage. Any administrator reading the current crop of NT security books comes away with a false impression - That an application cannot compromise the trusted path. The "Windows NT Security Guide" by Sutton, or the black book, "NT Security Handbook" by Hadfield or any book on the market I know of plainly indicates that NT is designed so that an application can't circumvent the trusted path. This is not correct. None of these books talk about how the SAS is actually protected, They talk about how the Gina is trojan proof. In my mind, this is quite different. jdg NT OBJECTives, Inc. http://www.ntobjectives.com
Current thread:
- Windows 2000 Run As... Feature David Terrell (Jan 21)
- Re: Windows 2000 Run As... Feature Seth R Arnold (Jan 23)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- <Possible follow-ups>
- Re: Windows 2000 Run As... Feature jdglaser (Jan 24)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
- multicasts from hell Tim Yardley (Jan 25)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature jdglaser (Jan 25)