I think your comment about this being “more than the OS allows” is
interesting. In my experience, very little of the rather rich security
infrastructure within Windows is actually utilized. Instead, what
people seek to do is add a *different* layer of security over the
existing system not because of features lacking in the underlying OS,
but in the need to allow poorly written programs (need I pick on the
Service Control Manager again?) function “properly”.
If you don’t want people to execute unauthorized programs, I can easily
think of many ways to achieve this that does not rely upon analyzing the
name of the binary. For example, you could restrict execution privilege
to only authorized (locked down) directories. THAT’s relatively easy to
implement with a simple file system filter + NTFS ACLs.
The Windows OS security model is actually well-grounded in OS security
principles (discretionary access control, no object exposure,
authorization and identification, etc.) The use of that security model
is atrocious (creating all-powerful users and groups and installing with
those privileges out-of-the-box) because most OS customers don’t really
care about security at this level. Microsoft clearly has indicated over
and over that their concern is the volume market, be that desktop or
server. I can’t blame them - they have an obligation to maximize their
profit for the benefit of their shareholders. Fighting malware,
viruses, or other “authorized” security threats is an attempt at
allowing people to enjoy the freedom of lax security, while protecting
them from their own ignorance.
You CAN harden a Windows box. But when you are done a surprisingly
large number of things just don’t work right anymore. Be it the Service
Control Manager (because it hard codes the “Administrators” group in its
ACL and in keeping with good hardening you’ve gutted all the well known
groups on your system) or the applications that insist on accessing
files for write that should only be read, or people who are too used to
just downloading and installing one more little doo-dad so they can look
at another malicious web page, etc.
Security - real security - is tough to live with, largely because the
ultimate threat to security on the box are the users. Damn them but
they want to use it to “get work done”.
Now excuse me while I go install another ActiveX control…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Eugene Lomovsky
Sent: Tuesday, August 02, 2005 4:46 AM
To: ntfsd redirect
Subject: Re:[ntfsd] Beginner Question.
Greetings mortal, Don!
You wrote on Mon, 1 Aug 2005 12:57:26 -0400:
DB> Well I guess you are chasing a fools errand then. You will not be
DB> able to do this for any commercial product. I know it has been
DB> done once on a custom product (lock down the exact service pack,
DB> hotfixes etc, and be willing to go way beyond the acceptable
norm).
DB> Detecting something is being loaded to run, with all the possible
DB> command shells, interpreters, and tricks with DLL’s is near the
DB> edge of being impossible (I would say it is impossible, but that
DB> would just cause arguments).
It isn’t a fool protection. Try to read something about top secret
environment, national
security requirements, software certification etc. So has formed here in
our country many
state structures work on a platform from Microsoft. And as I already
spoke, there are
requirements which demand much more, than allows OS and, by the way,
solutions are
successfully and maintained here already more than 7 years. If such
tasks seem to you
unreliazable it is not necessary to speak it for all.
It isn’t one driver. It is a complex system with remote administration,
with logs
gathering etc… It is OS expansion from the direction of management and
security…
DB> It is interesting to note you listed this as a beginners question.
DB> The areas you are poking around in are as far from something a
DB> beginner should be dealing with as I can imagine.
The initial question is very close to that I have made. What for to the
beginner to step
on the same rake? May be I see too far, but my solution is more
flexible, multi-purpose…
May be for him will enough to use callbacks, but when him will ask about
something more,
he should begin all anew.
PS: sorry for my english
Eugene.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
When you deal with protection profile this phrase can sound differently. “allow EXACTLY
The customers want “to allow execution only what could be