|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: services running in windows domain (winXP clients)
From: Nicolas RUFF (listes) (ruff.lists
edelweb.fr)
Date: Wed Jan 05 2005 - 11:41:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> "Would make for an interesting project -- to create a matrix of different
>> launch methods and policy compliance results."
> Frank, that actually sounds like a very boring project. I would rather
> make a mountain of toe nails.
Please don't ! You just have to read the FM.
Software Restriction Policy (SRP) is called "SAFER" internally by
Microsoft : this is the prefix of all registry keys and APIs involved.
Once you know that, Googling is easier ;-)
According to :
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gpsrp_how.asp
SRP is enforced by :
<quote>
1. ShellExecute. Performs an operation on a specified file.
2. CreateProcess. Creates a new process and its primary thread. The
new process runs the specified executable file in the security context
of the calling process.
</quote>
Indeed, if you look at the debugging symbols for
KERNEL32!CreateProcessInternalW(), you will see an subroutine called
BasepCheckWinSaferRestrictions().
Since services are started by ADVAPI32!StartService(), they are not
subject to SRP. In fact anything that does not call ShellExecute() or
CreateProcess() is not subject to SRP (I did not check for the
screensaver). I guess it would have been more secure to enforce SRP at
NtCreateProcessEx() level ...
BTW, on my Windows XP Pro SP2, I found 5 interesting entries under the
following key :
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
Those entries are labelled "Stop the download of this file" and do not
appear in the Security Policy Configuration. The filenames are :
Mdac11.cab, mdac20.cab, mdac20_a.cab, _msadc10.cab, msadc11.cab. Is this
some kind of Microsoft trick for blocking old MDAC versions, bundled
with 3rd party software ???
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]