Re: Block (or Hide) Control Panel

Actually, most services run with the LocalSystem account, which I believe is a good deal
more restricted than Administrator. Network backup products, for example, require either
"Backup Operator" or "Administrator" privileges...where Backup Operator is somewhat more
restricted than Administrator, but can read or write any file on the nework.

And given some of the privilege escalation attacks you can create that cause privileged
apps to run untrusted code, the ability to do have a privileged app cross desktops is
truly scary.

Concepts like "least authority" don't work, either, because authority is too homogeneous.
Vista addresses this by running each app at the lowest possible security privilege level
consistent with that app, but this overall still isn't good enough, because centuries of
actual security experience by human organizations have demonstrated that
compartmentalization determined by "need to know" is the most effective system. So, for
example, as long as arbitrary code can come across the Internet and read or write any
state on my machine, where I cannot control the access as to what it is reading or
writing, makes them serious security risks. As amply demonstrated by the current
vulnerabilities.

There's just a little too much of "my job would be easier if I didn't need to deal with
security, so please add this API" that went on at Microsoft, back when computers were
thought of "personal" and accessible only by one individual. What is astonishing is that
the documentation on BroadastMessage is remarkbly sketchy, particularly above security.
joe

joe

On Sun, 17 Dec 2006 16:35:22 -0800, "David Ching" <dc@xxxxxxxxxxxxxxxxxxxxxx> wrote:

"Joseph M. Newcomer" <newcomer@xxxxxxxxxxxx> wrote in message
news:tnfbo25pgueunkv73v0he11veuefn21n8s@xxxxxxxxxx
To do this, the process has to have the SE_TCB_NAME right, which marks it
as part of the
"trusted computer base", at least that's what the documentation claims.

Otherwise, this essentially makes it possible for cross-desktop messaging,
and this
obviates all security in the system.

If I have the right to do this, I can compromise nearly every attempt at
security in the
system, which is a very, very scary concept.

Secure or not, this is what is provided in Windows. I'm no expert on
security, but I've thought that services are by definition "trusted" since
they run with Admin priviledge (whatever that means in these days of UAC).

-- David
Joseph M. Newcomer [MVP]
email: newcomer@xxxxxxxxxxxx
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
.

Relevant Pages

  • Re: ASP.NET Impersonation / delegation
    ... If your security guys will not even allow delegation, ... Bruce - I think this is a major right to grant to the ASPNet account. ... I have included a description on SE_TCB_NAME privilege from one of the MS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Event ID 577 & Failed Install of Microsoft Firewall Client
    ... NT Local Security Authority / Authentication Service ... Primary Domain: <domain or workgroup name> ... Client Domain: ... privilege to perform a privileged system service. ...
    (microsoft.public.security)
  • Re: Event ID 577 & Failed Install of Microsoft Firewall Client
    ... NT Local Security Authority / Authentication Service ... Primary Domain: <domain or workgroup name> ... Client Domain: ... privilege to perform a privileged system service. ...
    (microsoft.public.win2000.security)
  • Re: Anybody Have any Problems With AceUpdater for Addons and Vista?
    ... admin of our own machine and all programs have been run as administrator. ... Vista pc into a winXP machine <security wise> ... coding one that way can actually reduce the security of the app, ... windows believes the app when it says it only needs security at those ...
    (alt.games.warcraft)
  • RE: Desktop Support Access
    ... Level 1 is the default user EXEC privilege, ... Subject: Desktop Support Access ... Better Management for Network Security ...
    (Security-Basics)
Quantcast