Bugtraq mailing list archives
Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Wed, 26 Jan 2000 13:08:45 -0800
At 07:14 AM 1/26/00 -0800, jdglaser wrote:
In her columns, Understanding NT, she describes the SAS execution flow and fully reviews the details w/ code and API calls of how to replace the Gina AND how to trap and create the logon box. (Which the below listed NT security books say can't happen)
You need better NT security books then.
Compare the following quotes "you can provide custom code that participates in the logon process AND that controls the user interface for Logging on" - Paula Tomlinson WDJ
"(In order to prevent password capture) "This key sequence cannot be duplicated by an application programs" NT Security Handbook by Hadfield
While LeBlanc is correct that the Gina is "protected", there is no documentation which widely advises not surfing the web under the Administrator account (I know that NO one here does that anyway:) ) in order to prevent an overflow in your browser(an app running with sufficient privs) to do the damage.
I have to cry foul here. There have been a large number of posts from Paul Leach to various forums making the point that if you're running as administrator, a large number of bad things can happen. I've said the same thing. Go search NTBUGTRAQ on his name, and the word administrator, and I think you'll come up with more than one hit. IF you are running as admin, then you can modify the OS, and anything can happen, including modifying the logon sequence and inserting device drivers. Furthermore, there's been a lot of work done on Win2k to allow people to run as Power User, and not admin - apps that were built for Win9x often make assumptions that require running as admin. A good counter-example is Office 2000, which can be run as an ordinary user. I hope we'll see newer apps that work well as ordinary users, so we don't have to take the in-between step of Power User. RunAs is just one added tool to help people to run as a lower-level user, but be able to admin the box when they need to.
Any administrator reading the current crop of NT security books comes away with a false impression - That an application cannot compromise the trusted path. The "Windows NT Security Guide" by Sutton, or the black book, "NT Security Handbook" by Hadfield or any book on the market I know of plainly indicates that NT is designed so that an application can't circumvent the trusted path. This is not correct.
Look in Rutstein, pg 17 - "Unfortunately, the architecture of Intel-based computers [...] does not allow for this attention sequence to be totally secure. [...] the user cannot be sure that another process hasn't tampered with the keyboard driver..." I am quite sure that Sutton is making the implicit assumption that admin rights have not been compromised, and a book gets a bit long if you qualify everything.
None of these books talk about how the SAS is actually protected, They talk about how the Gina is trojan proof. In my mind, this is quite different.
It is trojan-proof IF and only if an admin account or localsystem have not been compromised. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: Windows 2000 Run As... Feature, (continued)
- Re: Windows 2000 Run As... Feature Seth R Arnold (Jan 23)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
- multicasts from hell Tim Yardley (Jan 25)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)