Dailydave mailing list archives
Re: Windows Access Control Demystified
From: "Steven M. Christey" <coley () mitre org>
Date: Sun, 5 Feb 2006 14:30:01 -0500 (EST)
"Bruce Ediger" <eballen1 () qwest net> asked:
to find complex privileges/ACL problems in Windows. I've always suspected that the fine-grained nature of Windows' security mechanisms would result in difficult-to-find, easy-to-make vulnerabilities, andWhat tickled you to suspect this? Was this an intuition born of experience with other operating systems fine-grained security mechanism or do you have some general principle that covers this?
Just a suspicion based on experience and logic, namely: - privilege/ACL management problems are reported for all kinds of software, not just operating systems (e.g. Oracle, Bugzilla, and BEA WebLogic have had a number of issues related to interactions between privileges/ACLs) - developers routinely make patently obvious configuration errors like a world-writable executable - by logic, a developer who makes patently obvious errors is likely to make subtle errors :) After getting a bit more of a look at the Windows Access Control Demystified paper, some of the vulnerabilities don't seem to be that subtle at all. - Steve
Current thread:
- Windows Access Control Demystified Steven M. Christey (Feb 02)
- Re: Windows Access Control Demystified Cesar (Feb 02)
- Re: Windows Access Control Demystified Bruce Ediger (Feb 04)
- <Possible follow-ups>
- RE: Windows Access Control Demystified surreal (Feb 02)
- Re[2]: Windows Access Control Demystified Thierry Zoller (Feb 02)
- RE: Windows Access Control Demystified Taylor, Gord (Feb 02)
- RE: Windows Access Control Demystified Cesar (Feb 02)
- Re: Windows Access Control Demystified ol (Feb 02)
- RE: Windows Access Control Demystified Cesar (Feb 02)
- Re: Windows Access Control Demystified Steven M. Christey (Feb 05)