Testing Windows Policy & Privilege restrictions

This is probably be well known in theory but I found it very interesting to see in practice.

I was able to use run Nod32 SysInspector.exe to check what Policy setup I'm running.

Example
1. Run a browser with Drop My Rights,
2. download Nod32 SysInspector.exe
3. execute Nod32 from the browsers download windows
it is run with the
same drop my rights permissions as the browser.

(This only allows the Privilege SeChangeNotifyPrivilege.)

So this implies that any remote code execution ( drive-by downloads ) that is created by the browser process , will execute with only the Privilege SeChangeNotifyPrivilege.

Attached Picture shows how to find current user(process) privilges.

 

Joeythedude, you may also wish to look at the free Sysinternals PsExec tool which, when used with the “-l” switch, provides the same functionality as DropMyRights plus the ability to pass command line arguments to the application (a feature lacking in DropMyRights).

 

Cheers. Do you use DMR or the sysinternals tool ?

 

The inclusion of command line arguments is actually pretty trivial to do with the SAFER token level. There are at least 2 other programs I have found that allow command line arguments to be passed, and I have made a version or two myself. I cannot see why Aarron did not code that in the original DMR, as it is easy to do and is much more robust.

The problem with DMR or PSExec is that you need to actually pass something to it, so you need specialized shortcuts or such things. I made a tool called SaferZone. You just drop an item onto it, and it runs. I cannot remember if I made it look for the command line in a shortcut or not. Either way, I find it easier to use SRP on static items to demote rights on, so I don't have to remember to demote them. Than I can use my SaferZone program to easily demote the programs that I either don't want statically demoted or the new program that I just want to demote right now and maybe just downloaded and want to test in a LUA type affair to see what it does or just to be sure it does not run with full rights.


Sul.

 

Thanks Sully. I'm using DMZ_Zone as well, which must be your earlier version.
It's great.
Config / usage pretty much just as you described.

Sully whats your opinion on the following..

In my test I was able to see that Nod32 ran x privilge.
If Nod32 was a piece of malware , and it created another exe , BAD.exe , would this have the same x privilge ?

 

Using windows internal features (e.g.with PGS) a launched application should inherite the rights, so Yes

 

Thanks Kees

Does DMR result in the same restrictions as using a LUA a/c ?
Blocking writing to windows folder etc

 

You may know this you may not, but I am a believer in spouting the facts for not only the OP but others who may find this later and may need the facts.

First understand LUA or Limited User Account, then understand this is saying that your account is a member of the GROUP called USERS and not a member of the GROUP called Administrators.

Next understand that as a User, you have by default access to read and execute in c:\windows and c:\program files. You have only create or modify rights in your profile directory for the most part, OR any custom created directories, for example you create c:\MyStuff.

As a User, you can execute for example c:\windows\notepad.exe, as you are allowed to. However, you cannot use notepad.exe to modify anything in c:\windows, c:\program files or c:\ itself. This is the nice part of being a User, nothing you start will be able to muck with system areas. The reason for this is very simple and it is called INHERITANCE. When you start program X as a User, ANYTHING program X starts INHERITS the permissions and rights of program X. Program X itself INHERITED your User rights, so in turn everything that spawns as child processes INHERIT the same rights. It is the foundation of the security in windows operating system IMO.

Now, you may also use Software Restriction Policies (aka SRP) within a User account (aka LUA). SRP policies in this context seek to create a default-deny situation. The default rules are to allow execution of anything in c:\windows and c:\program files. SRP in this case seeks to by default deny execution unless there is a rule to allow it. You would then use SRP to poke holes into areas or into files you want to allow exection. You use only allow or restrict in this case.

Now, SRP is also capable of another 'level' of policy restriction, called Basic User or Restricted. This method examines an item listed in the SRP rules and when it is created, if it matches, it removes the rights that the program would have had and replaces them with the rights of a User. This is typically used if you are an administrator and wish to start program X AS A USER. When this is done, program X is essentially demoted to a Users rights level, and ANYTHING it subsequently starts will INHERIT the same demoted rights.

This whole sequence has been labeled SAFER. Any process that is created in windows XP,Vista or 7 is going to examine the SAFER registry area to see if there is a policy rule in place. If there is, before the program is actually started, the security level may be changed, or it may be denied or just allowed. When there is no SAFER rule in place in the registry, the program starts as normal, with whatever rights the user who started it had. If you are User, it starts with a users rights. If you are Administrator, it starts with admins rights. Again, anything that it in turn starts inherits it's rights too.

Now you have DropMyRights or other variants. The mechanism called SAFER may be applied via code directly to an application when you start it. Obviously you would not want to use allow or deny in this manner, so that leaves only 3 options, of which you really are only concerned with one, the Basic User aka Restricted setting. This is what DMR does, it initiates via code the exact same SAFER mechanism that SRP uses. You effectively demote the program started to User level, and again anything it starts inherits the same User level rights.

Hopefully that clears it up and you understand both rights and inheritance, as they both are really what SRP or DMR are about when used in context of being an Administrator and starting some program you wish to demote to User.

Sul.

 

Yep,

But on Vista with UAC on, SRP offers a nice way to run internet facing programs as limited user, plus a deny execute of the user space (USERS directory andother partitions disk) while the others in Windows and Program Files are still monitored by UAC. It is a great first line catch 20-20 situation,interet facing programs are not allowed changes to the LocalMachine registry hive and Windows/program files directories, while any code downloaded is forbidden to run.

On f.i. Vista 64 UAC (+Norton's freebie UAC Tool) and SRP configured as above really profides seamless LUA security. On XP you will need Surun to obtain UAC like protection.

Great thing it all works with the OS mechanismes, eating very little CPU cycles.

Sul keep on creating easy to apply programs

 

Well that will not be a problem lol. With winter coming on, I get more time to code and less work around the homestead.... depending on the weather.

Sul.

 

That right click DMR-Run is so handy. Thanks again for the great tool Sul

 

You are welcome. You should go to mrwoojoo.com and check out SaferZone. I think it is a better tool personally.

Sul.

 

What is the difference between DMRzone and Saferzone ?

 

SaferZone is capable of dropping a target, or multiple targets onto its icon. For example, you put the program on destop. You drop executable onto it, it starts it like DMR. You grab 5 executables, drop it onto it, it starts all 5 like DMR.

You place SaferZone into c:\MyFiles. You create shortcut to desktop for SaferZone. You still drop file or files onto the shorcut, it starts them all.

You may also drop shorcuts to executables on SaferZone or SaferZone.lnk, it will start them. It is capable of passing command line arguments. Right click on it's title bar, and you can add/remove context menu's for starting item(s) like DMR.

When you execute SaferZone, you get a small window you can drop items onto. In the title bar menu are various options, like creating an .ini file for future preferences, and setting which restriction you wish to apply.

It is a much improved version of DMRZone.

Sul.

 

Kees is there any way for UAC to be bypassed on Vista? Thanks.