SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature

[jdglaser () NTOBJECTIVES COM (jdglaser)]

To anyone who wants to better understand true SAS behavior in Windows NT-
Just today, amazingly enough, a very good article arrived from Paula
Tomlinson in the Feb. issue of Windows Developer's Journal.

In her columns, Understanding NT, she describes the SAS execution flow and
fully reviews the details w/ code and API calls of how to replace the Gina
AND how to trap and create the logon box. (Which the below listed NT
security books say can't happen)

Compare the following quotes
"you can provide custom code that participates in the logon process AND
that controls the user interface for Logging on" - Paula Tomlinson WDJ

"(In order to prevent password capture) "This key sequence cannot be
duplicated by an application programs" NT Security Handbook by Hadfield

While LeBlanc is correct that the Gina is "protected", there is no
documentation which widely advises not surfing the web under the
Administrator account (I know that NO one here does that anyway:) ) in
order to prevent an overflow in your browser(an app running with sufficient
privs) to do the damage.

Any administrator reading the current crop of NT security books comes away
with a false impression - That an application cannot compromise the trusted
path. The "Windows NT Security Guide" by Sutton, or the black book, "NT
Security Handbook" by Hadfield or any book on the market I know of plainly
indicates that NT is designed so that an application can't circumvent the
trusted path. This is not correct.

None of these books talk about how the SAS is actually protected, They talk
about how the Gina is trojan proof. In my mind, this is quite different.

jdg
NT OBJECTives, Inc.
http://www.ntobjectives.com