On Thursday 01 March 2012 12:11:37 Heiko Hund wrote: > On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > > No. If you start a process in users context the user can modify it. > > There is nothing you could do against. > > I'll do some tests next week and post my findings here.
Sorry, haven't had much time for tests this week. However, I've done some reading here's the preliminary plans on how to secure openvpn.exe and the named pipe handle. It is false that you cannot set a process' mandatory label to a higher integrity level than the one in the token. Vista introduced the SE_RELABEL_NAME privilege specifically for that purpose. Apparently no default system account comes with the privilege assigned, though. As the "Local System" account on Windows 7 does not have it I wouldn't say it's very practical to go this way as admins would be forced to create a special "OpenVPN Service" account in order to run openvpn. Instead I plan to secure the process (and the probably the pipe handle as well) against malicious operations by not granting the user any sophisticated access to it, i.e. you can only inject code if you can write the process' memory. This will be enforced by the security descriptor assigned to the process by the service at creation time. The service account will own the process object, so that the user cannot sneak his way in by modifying the DACL. Hope I haven't overseen anything. If I did I'll be happy to receive feedback. Regards Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200 Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe Represented by the General Partner Astaro Verwaltungs GmbH Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen