Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 07:14 AM 1/26/00 -0800, jdglaser wrote:

> In her columns, Understanding NT, she describes the SAS execution flow and
> fully reviews the details w/ code and API calls of how to replace the Gina
> AND how to trap and create the logon box. (Which the below listed NT
> security books say can't happen)

You need better NT security books then.

> Compare the following quotes
> "you can provide custom code that participates in the logon process AND
> that controls the user interface for Logging on" - Paula Tomlinson WDJ

> "(In order to prevent password capture) "This key sequence cannot be
> duplicated by an application programs" NT Security Handbook by Hadfield

> While LeBlanc is correct that the Gina is "protected", there is no
> documentation which widely advises not surfing the web under the
> Administrator account (I know that NO one here does that anyway:) ) in
> order to prevent an overflow in your browser(an app running with sufficient
> privs) to do the damage.

I have to cry foul here.  There have been a large number of posts from Paul
Leach to various forums making the point that if you're running as
administrator, a large number of bad things can happen.  I've said the same
thing.  Go search NTBUGTRAQ on his name, and the word administrator, and I
think you'll come up with more than one hit.  IF you are running as admin,
then you can modify the OS, and anything can happen, including modifying
the logon sequence and inserting device drivers.

Furthermore, there's been a lot of work done on Win2k to allow people to
run as Power User, and not admin - apps that were built for Win9x often
make assumptions that require running as admin.  A good counter-example is
Office 2000, which can be run as an ordinary user.  I hope we'll see newer
apps that work well as ordinary users, so we don't have to take the
in-between step of Power User.  RunAs is just one added tool to help people
to run as a lower-level user, but be able to admin the box when they need to.

> Any administrator reading the current crop of NT security books comes away
> with a false impression - That an application cannot compromise the trusted
> path. The "Windows NT Security Guide" by Sutton, or the black book, "NT
> Security Handbook" by Hadfield or any book on the market I know of plainly
> indicates that NT is designed so that an application can't circumvent the
> trusted path. This is not correct.

Look in Rutstein, pg 17 -
"Unfortunately, the architecture of Intel-based computers [...] does not
allow for this attention sequence to be totally secure. [...] the user
cannot be sure that another process hasn't tampered with the keyboard
driver..."

I am quite sure that Sutton is making the implicit assumption that admin
rights have not been compromised, and a book gets a bit long if you qualify
everything.

> None of these books talk about how the SAS is actually protected, They talk
> about how the Gina is trojan proof. In my mind, this is quite different.

It is trojan-proof IF and only if an admin account or localsystem have not
been compromised.

David LeBlanc
dleblanc () mindspring com