• Welcome to Valhalla Legends Archive.
 

Securing IIS

Started by Grok, August 11, 2003, 07:18 AM

Previous topic - Next topic

Skywing

Quote from: St0rm.iD on August 15, 2003, 06:35 PM
Proving once again why Window's priviledge system sucks. Should see me at school demonstrating it :)

A mod_dotnet for Apache on Freebsd would be so awesome :)
Actually, this has little-to-none to do with the Windows privilege model - it's a problem with application developers writing sloppy code that doesn't work well without lots of privileges.

Camel

#31
Skywing, one could argue that the problem is that when the core of windows was written, security was not an issue, or even very much of a consideration. That's why there are so many holes that can be taken advantage of.

MSBlast is a prime example of the typical windows security flaw. Go ahead; convince me that the reason MSBlast spread was because of "application developers writing sloppy code..."


[edit] BTW Skywing, I agree with you but I just feel like playing the devil's advocate tonight. :D

Kp

Quote from: Camel on August 15, 2003, 09:59 PM
Skywing, one could argue that the problem is that when the core of windows was written, security was not an issue, or even very much of a consideration. That's why there are so many holes that can be taken advantage of.

MSBlast is a prime example of the typical windows security flaw. Go ahead; convince me that the reason MSBlast spread was because of "application developers writing sloppy code..."
The Windows NT privilege model is actually quite complex in terms of how well subdivided it is.  The problem is that, as Skywing points out, the applications that Microsoft provides in many cases wrongly rely on these high privilege levels.  Based on the duties of an RPC endpoint mapper, I would expect it to require filesystem access to read its configuration data, registry read to do the same, and permission to bind a network socket / send datagrams.  However, Microsoft chose to have it running under an account which can do all those things and far too much more.  That is why MSBlast can spread and cause problems.

If the people responsible for choosing what services to run under which IDs had consulted a listing of the RPC mapper's requirements and then matched it to an account with just that access and nothing more, MSBlast's damage would be significantly reduced.  It would be able to crash unpatched RPC mappers, possibly install itself, and that's about it.  It wouldn't have permission to write to anywhere terribly important, couldn't create accounts, couldn't create raw sockets, etc.  IMO, the fault lies with the people who chose to just run everything as LocalSystem rather than tailoring the services to IDs of appropriate access.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Grok

#33
I agree with Kp.

Microsoft did indeed write Windows NT with security in mind, from the ground up.  The Pentagon can purchase NT and secure it by paying attention to the details of which services run on which accounts, locking down the registry and file system, and physically restricting access.

But Microsoft also needed to sell it to the general public .. which in 1993 did not require Pentagon type security.  Thus, someone probably in marketing made the decision to relase Windows NT with all services running as SYSTEM, and all file system permissions and most registry permissions set to 'Everyone'.  Not even 'Authenticated Users'.

To gain widespread acceptance, Windows NT had to have widespread usability, thus be configured for the general user.  It's still a configuration issue though, and not one of architecture or design, in my understanding.

Adron

Actually, doesn't RPC need impersonation/token management rights?

Camel

Grok, wouldn't it make much more sense to have 'System' group of accounts that would notrmally not be visible to the end user, thus relieving said marketing problem?

Banana fanna fo fanna

Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)

Kp

Quote from: Adron on August 16, 2003, 04:15 AM
Actually, doesn't RPC need impersonation/token management rights?
Some of the remotely invokable services might, but the endpoint mapper shouldn't.  An endpoint mapper's only task (to me) is to provide a well known port which can be queried to find the ephemeral ports of other services.  Perhaps I'm misexplaining which program I meant (or don't know all of its other duties -- I haven't poked at it much).
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Adron

I don't really know, but I thought that whatever runs on that port was able to *start* a server running on an unused port under the credentials of whoever is connecting. Then your next step would be to connect directly to that server.

Skywing

Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)
Typically you install things with admin privileges, so setup programs can often create accounts if necessary.

LocalService and NetworkService are preexisting accounts that can be used in XP/2003.

MyndFyre

Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)

I fail to see how Windows' privilege system sucks because services written for Windows choose to use too high of a user.  That's up to the publisher, not Windows.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Kp

Quote from: Myndfyre on September 21, 2003, 03:18 PM
Quote from: St0rm.iD on August 16, 2003, 05:43 PM
Window's priviledge system sucks simply because most services run at *much* higher priviledge level than they need to. Why? Because the software vendors feel that users are too stupid to create new accounts for which the service to run on.

Also, I got Mono to run on redhat (!!!)
I fail to see how Windows' privilege system sucks because services written for Windows choose to use too high of a user.  That's up to the publisher, not Windows.
I concur with you about it being a problem with the services, not with the base OS model.  However, I should point out that most of the services in question are written by Microsoft and distributed in the default Windows install.  Some services, such as the RPC services, are actually vital for basic tools to work fully.  For instance, Windows Explorer right-drag&drop facility breaks down if the RPC services get stopped.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

|