At 07:14 AM 1/26/00 -0800, jdglaser wrote: >In her columns, Understanding NT, she describes the SAS execution flow and >fully reviews the details w/ code and API calls of how to replace the Gina >AND how to trap and create the logon box. (Which the below listed NT >security books say can't happen) You need better NT security books then. >Compare the following quotes >"you can provide custom code that participates in the logon process AND >that controls the user interface for Logging on" - Paula Tomlinson WDJ >"(In order to prevent password capture) "This key sequence cannot be >duplicated by an application programs" NT Security Handbook by Hadfield >While LeBlanc is correct that the Gina is "protected", there is no >documentation which widely advises not surfing the web under the >Administrator account (I know that NO one here does that anyway:) ) in >order to prevent an overflow in your browser(an app running with sufficient >privs) to do the damage. I have to cry foul here. There have been a large number of posts from Paul Leach to various forums making the point that if you're running as administrator, a large number of bad things can happen. I've said the same thing. Go search NTBUGTRAQ on his name, and the word administrator, and I think you'll come up with more than one hit. IF you are running as admin, then you can modify the OS, and anything can happen, including modifying the logon sequence and inserting device drivers. Furthermore, there's been a lot of work done on Win2k to allow people to run as Power User, and not admin - apps that were built for Win9x often make assumptions that require running as admin. A good counter-example is Office 2000, which can be run as an ordinary user. I hope we'll see newer apps that work well as ordinary users, so we don't have to take the in-between step of Power User. RunAs is just one added tool to help people to run as a lower-level user, but be able to admin the box when they need to. >Any administrator reading the current crop of NT security books comes away >with a false impression - That an application cannot compromise the trusted >path. The "Windows NT Security Guide" by Sutton, or the black book, "NT >Security Handbook" by Hadfield or any book on the market I know of plainly >indicates that NT is designed so that an application can't circumvent the >trusted path. This is not correct. Look in Rutstein, pg 17 - "Unfortunately, the architecture of Intel-based computers [...] does not allow for this attention sequence to be totally secure. [...] the user cannot be sure that another process hasn't tampered with the keyboard driver..." I am quite sure that Sutton is making the implicit assumption that admin rights have not been compromised, and a book gets a bit long if you qualify everything. >None of these books talk about how the SAS is actually protected, They talk >about how the Gina is trojan proof. In my mind, this is quite different. It is trojan-proof IF and only if an admin account or localsystem have not been compromised. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:40 PDT