OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: W2k undocumented registry setting fully disables Windows File Protection
From: Jeremy Collake (collakeCHARTER.NET)
Date: Tue Jun 27 2000 - 10:42:35 CDT

> It is important to note that only administrators and server ops have
> permission to write the winlogon key. If you're an admin, resistance is
> (eventually) futile - you've got rights to change anything you like.

(warning: assumptions made on my part<g>) Please remember that the main
reason Microsoft doesn't document, nor intended to provide a way for
administrators to disable WFP is that they didn't want application
programmers to temporarily disable WFP while they replace various system
files and possibly compromise system stability by inducing DLL hell. In an
ideal environment, where administrators are the only ones who will be
installing new applications on workstations, the WinLogon key will, under
usual permissions, be fully accessible by the application.

Furthermore, especially with Win2k, NT is moving alot into home use where
the user is usually always a member of the administrator group. Under these
circumstances, subversive code using this registry hack is a definite
possibility.

However, for me, the most important thing about finding this hack is that I
no longer have to boot to safe mode just to replace a system file :). I find
WFP quite annoying and am ever-so-happy to have it disabled.

In my previous message, I incorrectly stated that value 3 of SFCDisable was
documented. It is not. However, value 3 leaves WFP enabled and is changed to
0 after the first boot. I have not had time to really look into i (to say
the least), but it, at a *very* cursory glance, appears to check if the
module which called the SFC init. function was setup.exe or sfctest.exe, and
in either case does something special. Anyway, doesn't seem significant and
I may or may not be right, as I really haven't looked into value 3 much.

I don't think there is much more that needs be said about this little hack.
I can tell you that if Microsoft had not provided this backdoor, it would be
*much* more difficult for even an administrator to *fully* disable WFP,
which was their intention.

Jeremy Collake
collakecharter.net
http://www.collakesoftware.com

----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)

Retina is the first security software application with state-of-the-art
artificial intelligence features that allow it to think like a hacker. Other
security scanners search for known vulnerabilities, Retina uses built-in
features designed to handle 'what if' scenarios. Retina gives you the most
comprehensive network security analysis available. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq2&P;=retina>
----------------------------------------------------------------------------