Penetration Testing mailing list archives

Re: XPSP2 compatability

From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 24 Aug 2004 17:41:39 +0100

Wow.  Hitting the nail firmly on the head with a sledge hammer there.

I've been toying with the idea of totally encrypting my fixed LAN withIPSec. I'm still evaluating the availability characteristics of the IPSecstack on my wireless network (I've only recently moved to a 2.6 kernel onmy gateway). When I'm sure it meets my requirements, then I'll probablyroll it out to the fixed environment and remove the need to modifyservices by normal users (how my girlfriend would like to be referred toas a 'normal user'.)

I've never really liked 'Run As' as a solution on Windows (althoughadmitedly, most of my experience has been as an observer as opposed to anoperator.) I still need to trust the people I give 'Run As' to, don't I,not to do anything daft? I'm guessing that you can't tie that abilitydown to a single component? Or can you?


It's a bit off-topic now, so I'm happy if replies are off-line.

Kev

-----BEGIN PGP SIGNED MESSAGE-----

"Kevin" == Kevin Sheldrake <kev () electriccat co uk> writes:

    Kevin> privileged users can write to raw sockets?  Perhaps if the XP
    Kevin> installation forced the creation of at least one user account
    Kevin> and spat out a large alert when someone logged on as

  You are right --- the facilities are there. They are just not used.

    Kevin> For instance, my girlfriend uses Win2K on a laptop with a
    Kevin> wifi card.  In order for her to start and stop the built-in
    Kevin> IPSec client (required when she switches between wired and
    Kevin> wireless), she needs to be a power user of some description.
    Kevin> Fine, I'm the administrator so I gave her the capabilities.
    Kevin> Now she can let malware act as a power user when it runs -
    Kevin> brilliant.  On linux, for example, I simply su to start and
    Kevin> stop the IPSec and run the rest of my session as a normal
    Kevin> user.  It's the simple concept of least privilege...

  No, on Linux you can do several things:
    a) always encrypt everything anyway. (simplies everything)
    b) run scripts from dhclient to auto-select things.
    c) use "sudo" to let her run a script
    d) write a setuid program that does the one task.

  Since Win2K, there has been the equivalent of "su". Including the GUI
"Run-As" interface. Is it used? Not that I can tell.
  Why not?

  This isn't about technology --- it never has been.

  It is about letting very brilliant people with no non-MS experience
run the show. They are too smart to bother learning from past mistakes,
even their own.

- --

] "Elmo went to the wrong fundraiser" - The Simpson |firewalls [] Michael Richardson, Xelerance Corporation, Ottawa, ON |netarchitect[] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |devicedriver[] panic("Just another Debian GNU/Linux using, kernel hacking, securityguy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQSjpUIqHRg3pndX9AQFfRwQAqvJZtep6edkIDr+LXl26dVenqGrSX+Z3
KvbY5OVK9gUePhS3gLnFUbIIwkWlhI3EQ4JvoLPv8ZO/FvN8DzcEgslh2e8m6kMQ
yc9yFZvaM4vl32vbGBpK883iKCWA6njF7Ky2Fftr8tgeN9LUSxxldKzZk7vy9ndW
iSVY+fgGMFE=
=rIzN
-----END PGP SIGNATURE-----




--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

RE: XPSP2 compatability, (continued)
- RE: XPSP2 compatability Todd Towles (Aug 20)
  - RE: XPSP2 compatability Joe Smith (Aug 22)
    - RE: XPSP2 compatability Chris Brenton (Aug 22)
- RE: XPSP2 compatability OBrien, Brennan (Aug 20)
  - Re: XPSP2 compatability Kevin Sheldrake (Aug 21)
    - Re: XPSP2 compatability Jophn Deo (Aug 22)
    - Re: XPSP2 compatability Max (Aug 24)
- RE: XPSP2 compatability Wozny, Scott (US - New York) (Aug 20)
  - Re: XPSP2 compatability Kevin Sheldrake (Aug 21)
    - Re: XPSP2 compatability Michael Richardson (Aug 24)
    - Re: XPSP2 compatability Kevin Sheldrake (Aug 24)
    - Re: XPSP2 compatability Michael Richardson (Aug 24)
- RE: XPSP2 compatability Bundschuh, Anthony D. (Aug 23)