ACL when using SRP & LUA

Discussion in 'other security issues & news' started by Dahlie, Jan 11, 2010.

Thread Status:
Not open for further replies.
  1. Dahlie

    Dahlie Registered Member

    Joined:
    Jan 11, 2010
    Posts:
    6
    Hi!

    I just implemented SRP+LUA on my Windows 7 Professional x64 machine. Seems to be some really powerful stuff! But there are some things I don't have a real grip on yet, especially ACL that I haven't messed with before. I had to add a couple of locations to the SRP as unrestricted, which I mention below. But doesn't that mean that it's possible for malware to write to these locations and have execution rights (not admin rights though)?!

    These are the locations on my systems that I had to add to SRP as unrestricted:

    1. C:\ProgramData - I had at least 1 app that needed to execute from it's folder under ProgramData (I haven't tested yet if there are more applications requiring this). Should I remove some ACL rights for this folder for the standard user?!

    2. D:\Program - I have a database application here that needs its space on a seperate drive. For this folder it seems the standard user doesn't have write rights under ACL, but there's something called "Authenticated Users" that has write rights. When testing under LUA I can write to and execute from the folder. Which rights should I remove?

    I hope you can make things clearer for me. Thanks in advance!
     
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    1- No don't mess with ACL, especially when it is about lowering security..

    Deal with your problem by creating exeption list in SRP.

    2- In this case, you can try to remove the right to write to your "Authenticated Users" (belongs to users group anyway) - ie give only read and execute rights - and check if you didn't break anything.
     
  3. Dahlie

    Dahlie Registered Member

    Joined:
    Jan 11, 2010
    Posts:
    6
    Thank you for the quick response!

    1. I added it as an exception in SRP (unrestricted). But now I'm able to copy an executable to the folder under LUA and execute it. Isn't this a security risk? Or do you mean some other setting under SRP?!

    2. I'll test it out. I should remove the inheritance for this folder right?!
     
  4. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    1- somewhere in the SRP threads, you will fnd a way to log SRP rules, so that you know which file you need to allow execute.This is this file you should allow with an exception in your SRP setup. You shouldn't allow the execution in a folder where standard user has a write right. As you correctly said, this is a security hole.

    2- If not already done, have your administrator account take ownership of this folder. Then go to ACL, copy rules when request after you untick inheritance. Give total control to admin, system, and read and execute to standard users. It should be enough.
    Note the configuration at first, so that if somethng doesn't go well afterwards, you will be able to come back to a working state.
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Merge this to start logging the SRP messages. Be sure to create your own file and directory!!

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "LogFileName"="c:\\SRP_Log.txt"
    
    Sul.

    EDIT: simply delete this value to stop logging or set the value "LogFileName" to equal nothing (ie. "" )
     
  6. Dahlie

    Dahlie Registered Member

    Joined:
    Jan 11, 2010
    Posts:
    6

    1. I turned on logging according to Sully's post. The problem with this app is that there's 30+ dll's with it, so I can't just add a few exe's. Why shouldn't I touch ACL in this case? I did in fact remove the write priviliges for "C:\ProgramData\App_name" for Authenticated Users (and "C:\ProgramData\App_name" is set as unrestricted in SRP) , in the way you recommended for case 2, and it's working well so far.

    I guess that the ProgramData folder isn't supposed to hold executables normally and that this app is using it in a non-intended way?!

    2. Applied the changes and things seem to be working great so far!
     
    Last edited: Jan 12, 2010
  7. Jav

    Jav Guest

    I doesn't have executables, it does contain DLLs.

    I am experiencing the same problem, NIS 2010 wants to execute (I think it was Database DLL) from Program Data but SRP is blocking it :doubt:
     
  8. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Is this method the method for to use for logging in Windows 7 Ultimate as well? Is there are non-registry method to activate logging?
     
Loading...
Thread Status:
Not open for further replies.