>In all the hubbub over whether the semantic of the Run As... feature >in Windows 2000, a much more important shortcoming is that this is >the first time (I know of) that the system asks for your password >through a mechanism other than the trusted path (ctrl-alt-del to >login, ctrl-alt-del to change password). This is an unfortunate >compromise in an otherwise useful feature. How much of a compromise is it really? I just looked at the executable and it seems to be reasonably tightened down with only RX for Users, PowerUsers and Everyone. Unless there is some backdoor to replace the directory entry that's about the best we can do. Note that the SU command in the 4.0 Resource Kit also has this problem. Except that there the default ACL is considerably less restrictive. On my machine, Everyone has Modify rights to that command, as well as to the SUSS SU service. I assume that there are no special rights set on these files and that they simply take the permissions from the parent directory upon installation. Something to think about... Note that the ACL does of course not guard against presenting a user with the command line dialog without having to type in the RunAs command. However, common sense is used to guard against that. Also, the trusted path did not preclude the use of that attack either. I have actually seen one where users were presented with a login screen without the three-finger salute, and simply entered their passwords. Jesper M. Johansson
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:30:53 PDT