RBAC and security

Discussion in 'other security issues & news' started by lunarlander, Aug 31, 2016.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    How good is Role Based Access Control ( RBAC ) ? i am thinking of implementing 2 admin accounts. One is for installation of software, which has access to the internet, but no access to security functions like Local Security Policy, Windows Firewall, net.exe, netsh.exe and a few more things like removing the take ownership right. And the other admin account is all powerful, but can't connect to the internet, for doing security administration work.

    I recently had a incident where the attacker was able to delete user accounts on the system. So I am trying to mitigate that partially.

    Since I don't have Win 10 Enterprise, I can't use AppLocker, so I have to rely on ACLs. Also is there a way for an attacker to bypass that?
     
    Last edited: Aug 31, 2016
  2. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,056
    Why don't you use one admin and another standard user account? This way a lot of restriction will be automatically set for standard account. You can try Software restriction policies instead of AppLocker. I use this combination (SUA+UAC+SRP) on my Windows 7 and I like it.
     
  4. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,
    I do use a Standard account daily.

    I also already use software restriction policy.

    This dual admin setup is for the time when I need to install software when I briefly have to an admin type account. I want to cut down the risk of an attack when using an admin account. So that why I am thinking of setting up an 'Install software' admin, and one 'security admin" account.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @lunarlander

    Is this for a desktop system, or a multiuser/server type affair?

    ***

    I don't know a lot about Windows system internals, especially not about Windows 10. But, from my experiments with Metasploit a while back, I'm pretty sure that distinctions between admin users with different privilege sets will not matter if someone uses a local privilege escalation exploit; most of those go straight to SYSTEM privileges, and so will bypass everything.

    BTW, I'm a curious about the incident you mention. Deleting accounts does not sound very useful for an attacker on a home desktop, unless they just want to waste your time (as opposed to making money for themselves).

    ***

    My suggestion - obviously just opinion, etc. - is to consider the following goals, in order of decreasing importance:

    1. Password manager, offline backups, and other means of damage control.

    2. Preventing remote exploits. (Updates, known secure software, ad/script/plugin blocking, probably EMET.)

    3. Containing possible remote exploits. (Filesystem access control if possible; Sandboxie does this, not sure what else on Windows. LUA/SRP also helps, though maybe not as much.)

    On a desktop, an attacker would have lots of useful info just from access to your browser, never mind the entire limited account.

    (But of course, see again "opinion". Also, the above is very much oriented towards normal desktop or work/development stuff, as opposed to secrecy and whatnot.)
     
  6. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi G J,

    I think it was an exploit against the antivirus Webroot SecureAnywhere, because I detected some remote admin type activity on a different machine where I installed that too. And I quickly re-imaged without investigation.

    Then, not sure of where the vulnerability lies, I again installed it, this time on my wife's netbook. My memory of the incident is hazy, but I recall EMET 5.2 giving an message. I wanted to re-install Windows, but my wife says she haven't done backups lately and won't have the resinstall done. To complicate matters, she also hasn't done Windows update for several months. So again now, I can't be sure of where the vulnerability lies, whether it is Webroot or not. Unfortunately she works out of the country, and I can't look after the machine properly.

    Now to your suggestions.

    1. Which Password manager do you suggest? I have heard of a few. I have 2nd factor authentication setup on all my gmail accounts.
    I do have offline backups and offline images.

    2, For stopping remote exploits I use Malwarebytes Antiexploit, but am aware that it only covers browsers. I have stayed away from EMET 5.5 because it requires the Secondary Logon service and that is a problem. I always assume that the attacker knows my account passwords, so if I enable Secondary Logon, then they would be able to invoke admin rights. Is having EMET more important than worrying about Secondary Logon? If the privilege escalations you mention so powerful and are all UNPATCHED by MS, then maybe I should use EMET to stop exploits and not worry about Secondary Logon.

    3. I am trying to contain exploits via RBAC; setting up a less powerful admin for doing software installations, and allowing full admin rights to the security admin and taking it offline. I have also installed an anti-executable - Voodoo Shield to help curb attacks.
     
  7. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
Loading...