DACLs raising hackles!

Discussion in 'other security issues & news' started by MacQibble, Mar 2, 2011.

Thread Status:
Not open for further replies.
  1. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Hi.

    Sorry. Removed. Probably posted in wrong place! Very old now... :doubt:
     
    Last edited: Mar 2, 2011
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I was writing a response. Where did your question go?
     
  3. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    :oops: Erm... I thought maybe I needed to learn more before making a fool of myself. Deleted the lot, 'fraid. :rolleyes:
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I sent you my post in PM. I think others may be interested in the topic too though.
     
  5. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Hi MrBrian,

    Will need to study your PM !!

    Found my notepad draft of my post. Given your comment that others might find the topic interesting I'm reinstating it so that your PM can be public. Feeling more daft now. :oops:

    ----------
    John R. Michener's MSDN article on Access Control { http://msdn.microsoft.com/en-us/magazine/cc982153(printer).aspx } made me rethink my existing setup but I lack the competence to do it safely!

    JR explains that to avoid the risk of cross-user malware/hacker elevation exploits you shouldn't mix user writeable files with executable files and should have separate directories for files that must be trusted (such as executables) and files that must not be trusted (anything potentially written by an untrusted user).

    Before Win 7 I never bothered with UAC or standard accounts and am long used to storing my OS and progs on the system partition, all data on another, temp files on another, and all downloads or pre-instal wrappers on another so I can back them up separately to the system.

    Trouble is, admin and standard accounts are a nightmare to me for file management and access let alone security when trying to use a non-default setup.

    In the absence of expertise I did the following:

    For temporary files I used environmental variables to change the system temp path and moved IE's storage folder so my temporary set up was solved easily enough (except it isn't in every instance but I live with that).

    For data, I created folders in my data drive with similar names to my libraries and linked same. With Win 7's over-the-shoulder UAC I rarely log in as administrator --- especially if online --- but when I have to, any files I create or apps I download aren't available to me back as standard user unless I directly save them to my data partition. This seems to break JR's cardinal rule about mixing admin and standard files?

    I've found advice on moving the Users folder or individual accounts to my data partition, but don't know how this impacts on system image backups.
    I've left the User folder untouched so that I can simply image the system and temp partitions and file/folder backup the rest. Seems to work.

    JR advises that "The simplest and safest choice for installing an application is to duplicate the security settings in the Program Files folder". I did this to my downloads partition and found I couldn't save downloads as I now didn't have write permission.

    The confusion gets worse because downloads are sometimes run-in-situ apps that don't instal into the system programs folders.
    So if I amend my downloads partition's DACLs to match the User folder's downloads DACLs I'm presumably causing even more mess?

    I'm guessing loads of folk have separate partitions so these DACLs wheels have already been invented. Not sure I'd understand the answers but thanks to MrBrian I'm studying the esoteric subject of DACLs.

    Sorry for the length but it's a dense topic for me.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have a multi-partition setup also. One partition is for programs and Windows. The other partition is for data.

    For the data partition, I created two subfolders: Backup, and Brian (that's not my real first name, but you get the idea). The Backup folder is used to store backups made by my backup programs. Administrators and System have full control over the Backup folder and all its contents. I also gave my two accounts - the specific admin account that I use and also my standard account - read only access to the Backup folder and all its contents, because sometimes I sync the Backup folder to an external drive while I'm not a full admin.

    The Brian folder is used to store my documents, downloads, temp files, etc. Some of the subfolders of Brian are Documents, Download, Programs (for program installers), and Temp. The Temp folder is for stuff that I'm temporarily working on; I don't use it for the system's temp files as you do. The Brian folder and all its contents have full control for Administrators, System, my specific admin account, and my standard account. In the Documents folder are subfolders such as Pictures and Program Data. The Program Data folder contains program-specific data such as my Firefox profile and the Favorites folder for Internet Explorer.

    I don't remap any of the special folders from their defaults unless it's absolutely necessary, such as for the Favorites folder for Internet Explorer. So when a program tries to put its stuff in the Documents folder, it goes into the appropriate folder on the programs partition instead of cluttering the Documents folder in my data partition.

    If you have other users, they can have their own folder on the data partition, similar to the Brian folder that I mentioned already.

    There's no ongoing maintenance needed for this scheme once you've set it up. It's worked well for me.

    ----
    P.S. I use TrueCrypt to encrypt sensitive information on the data partition.

    I use Areca Backup for file-based backup in the data partition, Macrium Reflect Free for backup of the system partition, and SpiderOak (free account) for online backup of the Documents folder.
     
    Last edited: Mar 2, 2011
  7. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Thanks for tolerance, MrBrian. :)

    I'm going to need some thinking to organise the questions still swimming around. :doubt:
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    In summary, the data on my data partition is readable and writable by either of the accounts that I normally use. The backups on my data partition are readable by either of the accounts that I normally use, but writable only to elevated programs.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I really like these sort of threads, as they usually give a lot of different ways to do a similar thing, and that is great for getting new ideas!

    I am a data whore to put it bluntly. I have many cds and dvds with programs from version X or pdfs from back when. I do occassionally prune the inventory, but not as much as I should ;)

    In my time spent with these idiotic machines, more than once I have been "playing" and lost data, or due to strange circumstances (such as a bad IDE cable) found a drive corrupted. These were hard lessons to learn, but proved fruitful in the end. I NEVER have less than 2 hdds in my machine, NEVER EVER. Right now I have 3. I also NEVER go without some optional media for the really important stuff as well, like NAS or flash or external hdd.

    Anyway, what I have been in the habit of doing for many years now is to reinstall the OS as often as possible. I used to do unattended installs all the time, now I do image restorations. In doing these, to minimize the time spent to get things "back to normal", I started installing large programs like an office suite or a game into another drive/partition. This has my "program files" folder, but only large and time consuming apps are installed there. The normal c:\program files is reserved for utilities, like browsers or speedfan/rivatuner, stuff of that nature. Stuff that is updated often and consumes very little room. The goal for me is to keep the OS drive as small as possible, thus only small apps are installed to it.

    I have 3 hdds right now, with an SSD for my OS which is whole, a 1tb drive split in two and a 750g drive split in two. The newest storage drive gets all the data I care the most about, while the older storage drive gets the stuff that is either expendable or I only plan on using for so long.

    If the data is really important, it gets put on a mirrored raid array NAS box, or flash drive, or optical media.

    In the terms of data loss, I don't worry so much about malware and company deleting my data on other drives. If it was important, it will be on the NAS box which is account/password protected with a *nix OS. Yes I have to input my credentials to save, but it is important data, so the inconvenience is worth it. If it was not put to other media such as flash or dvd, then it was not important.

    What I worry about more is what I execute that I don't trust or what might be executed without my knowledge. While I understand implicitly the strength of giving accounts read only permission to critical data storage, I feel that I am best served to stop the enemy at the gate rather than worry about the bedroom door.

    I used to do more really geeky stuff like use subst and memory drives, change my %userprofile% directories and create one universal %temp% directory, I no longer do. It certainly proved a good learning experience, but once I started using images more and more (due to bartPE primarily) I found that as long as I was careful in where I put things on the OS drive, I could simply copy these few directories to a data drive, then restore an image without the added hassle of directory relocations and substitutions.

    IMHO it is best to develop a plan that encompasses all that you do, not just what is "most safe". Sometimes (maybe a lot of the time) we get caught up in being as secure as possible (because we care) that we lose sight of whether it is all warranted or not. It is different for everyone of course, but I have found in my own travels that when I strive to "simplify" things, more often than not, with a little thoughtfulness and imagination, "simplification" can bring along with it better security.

    Sul.
     
  10. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Hi. Slept on this to let the fog settle.

    If Bowie had sung about Windows default file permissions in partitions he might have gone... "Cloud control to Uncle Tom ...Cobbly and Aunty Mavis and anyone else who feels like it".

    To prove I'm determined to learn this topic, below is a screenshot of my MO for researching permissions on my system.

    JR Michener's offers 'simple' rules:

    "...if a user can write files in a trusted area ... Windows, Program Files, and so forth, other users and administrators should not be able to execute them" and "Do not mix user writeable files with executable files".

    I guess there's an option at first install to rearrange Windows over different partitions, but I've never felt competent to interfere with the beast and just hold my breath until it's done.

    There's no option for a 'SAD' install --- "Sole and Direct' access only --- a system that won't be used over networks, remotely accessed or woken up by phoning home to turn on the kettle, so no need for windswept services and 'Everyone(World)' groups.

    Multiple partitions are given unexpected default permissions (see below). My (abbrev.) findings of default install Allow permissions....

    C:\Local Disk
    Users...........................execute, list and read
    Admins........................full control
    System........................full control
    Authenticated Users....special (execute, list, read, create, write, delete)*

    * Surely all this freedom is bad?

    C:\Programs
    Users...........................execute, list and read
    Admins........................full control
    System .......................full control
    Creator Owner.............full control (presumably the object program?)
    Trusted Installer...........full control (misnomer in my opinion)

    C:\Users
    Users...........................execute, list and read
    Admins........................full control
    System .......................full control
    Everyone.....................execute, list and read

    C:\Users\{stndrdMe}
    Users.......................... full control
    Admins........................full control
    System .......................full control
    Everyone.....................execute, list and read

    Digging into the Users folder shows Users get a second 'special' DACL granting create/write/append permission (eg. C:\Users\AllUsers\{program} and Creator Owner gets full control (presumably the program itself).

    Not sure I follow the relationship between the User folder write permissions and Mitchener's don't mix rule?

    Hidden symbolic(?) or junction links and shortcuts aren't for the faint-hearted and I leave well alone.

    Finally, when I checked all my non-system partitions, Windows had created default DACLs to all as this example:

    J:\ Data
    Users...........................execute, list and read
    Admins........................full control
    System........................full control
    Authenticated Users....modify, execute, list, read, create, write, delete)

    These Authenticated Users seem to be 'NTAUTHORITY\Authenticated Users'
    and receive default permissions:-

    Access this computer from the network
    Allow logon locally
    Bypass traverse checking
    Change the time zone
    Increase a process working set
    Remove the computer from a docking station
    Shut down the system

    Not sure what some of that means, but they can "modify, create, write and delete" on every partition and that was enough to confuse me. So I chose a data folder and deleted them. Still trying to work out what happened but I image-restored in the end. Changing these suckers is tricky.

    I'm guessing that having system-separate partitions for data, temp, downloads etc is little different to having one non-system partition with folders for these as MrBrian.

    So it's just (!!!) a matter of following same permissions arrangement, near as dammit, and all should be well? :D
     

    Attached Files:

    Last edited: Mar 3, 2011
  11. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Might as well get it all off my chest...:mad:

    Just checking my backups permissions.

    I dabbled with Paragon but now stick with Win7 backup. I use a second internal hard-drive for scheduled backups (image of system and temp/ files and folders for the rest). I supplement with DVDs as and when I feel the need.

    My second drive is split into three partitions. Smallest holds a clean install image (nothing added/nothing taken away) and the other two are used for scheduled or ad-hoc Windows backups and for storing random folders for belts and braces before burning to DVD.

    F:\BackupsA
    Users...........................execute, list and read
    Admins........................full control
    System........................full control
    Authenticated Users....modify, execute, list, read, create, write, delete)

    There's them Authenticated Users again :cautious: I never authenticated nobody.

    F:\My_PC {Windows backup folder}
    System.................Full control
    Admins.................Full control
    Creator Owner......special (full control)

    F:\WindowsImageBackup
    Admins..................Full control
    Creator Owner.......Full control
    S-1-5-32-1551.......Full control*

    This SID is apparently the Backup Operators group, described as "A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down". :eek:

    Beats me how a group with no members can log on and shut my computer down but that's the mystery of Windows. The unwary like me would assume the System might have this power for a hibernating machine during a scheduled backup?

    So who is Creator Owner? Seems this is "A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator".

    So that explains that then. :doubt:

    Seems to me Microsoft wants 'non-expert' users (the bulk of their profit?) to let the grownups take care of things. Look where that got us... :)

    Thanks for tolerating me.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For the Windows 7 system partition, I kept the DACLs at their defaults. The only exceptions I can think of are due to the permissions auditing that I believe you've read about already in other threads.

    You may find BPACLer useful.
     
  13. MacQibble

    MacQibble Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    28
    Cheers. Thanks for suggestion on BPACLer.exe. Already installed and on the go. :thumb:
     
Loading...
Thread Status:
Not open for further replies.