Re: [Full-Disclosure] Windows user privileges
So it looks like MS itself will settle that one: [quote] --- [snip] Amongst the many things this malware does, all of which require admin rights, are: * Creating files in the system32 directory. * Terminating various processes. * Disabling the Windows Firewall. * Downloading and writing files to the system32 directory. * Deletes registry values in HKLM. All these fail if the user running the e-mail client is not an administrator. So wouldn't it be useful (read: safer) if you could browse the Web, read e-mail, and so on as a non-admin, even though you need to perform your normal daily tasks as an admin? __ [end quote] by Michael Howard (Senior Security Program Manager in the Secure Engineering group at Microsoft). The DropMyRights Application. http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp This should be pushed as an update and the steps of shortcut described in the link automatised. BTW, after cracked Sound application for creating .wav, in that one we've got : Location: C:\warez\dropmyrights.exe c:\program files\internet explorer\iexplore.exe C:\warez . no comments. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows user privileges
Use IEXPLORE.EXE [PATH] to get a working copy of explorer using the runas service. eg. runas /user:system\user %PROGRAMFILES%\Intern~1\iexplore.exe [path] No bitching about the fact that its the IE exe we are loading, it makes no difference, thats just a wrapper to load the libraries, you can do the opposite and turn an explorer window into IE by [F4] HTTP:// [ENTER]. As for people who uninstall IE, well thats fine I have, but the EXE is still lurking there (it could otherwise be done with the windows update explorer window spawning). If you want to construct a proper right click option for folders in explorer then the place to put it would be some where around HKEY_CLASSES\Directory\shellex\ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
1. XP would be more suitable to run as a user if the runas service and windows installers were developed to add more complete and easy to use privilege elevation techniques outside of active directory and the default group policy that gets applied. ... 4. The windows install creates the first user account as an administrator so that they may install programs and hardware without allot of hassle. This is in fact good for business over the alternative (which is to hassle most end users beyond their point of no return), no matter what the security implications, remember end users don't care (even if they should). A good approach here that would allow the user to be a non-admin by default and not make things overly difficult would be: 1. When creating the Administrator account's password during setup, remind the user that they will need it to install software, etc. 2. When the user attempts to do something they have insufficient privileges for (install something, for instance) the Run As UI should appear automatically, rather than an error message. The average home user isn't smart enough to right click and find the Run As command; a great many such users don't even realize that the right mouse button has a use. It would also be nice if they'd fix Explorer, etc. to support Run As, and perhaps add an Open As command to the context menu for folders, to allow opening a folder with different credentials. While they're at it, they might find some way of marking the windows of any processes not running as the current user. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
is that windowed applications do not get polled for refresh, so for example using an explorer instance in a runas will not update the file listing until you press F5 I have witnessed bad things come of this Are we able to run Explorer.exe using runas utility... Yes, but it won't do much good. The instance running as your second user will simply detect the first instance in memory and tell it to open a new window, then terminate. The window will be opened by an already-running instance of explorer.exe, not the one you just started, and will therefore have the permissions of the original user who logged in, not those of the user specified to RunAs. If you first kill all running instances of Explorer.exe from the task manager (or using the kill utility) and then start explorer via RunAs (from the command prompt) it will restart the shell as a different user, and you can then open an explorer window with the permissions you want. Then kill and restart explorer.exe again to restart the shell as the original user. (Be sure to do so from an instance of task manager or a command prompt that is still running in the original user's context.) IIRC, you can also simply log off from the shell, and it will restart as the original user. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
is that windowed applications do not get polled for refresh, so for example using an explorer instance in a runas will not update the file listing until you press F5 I have witnessed bad things come of this Are we able to run Explorer.exe using runas utility... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
--On Monday, November 22, 2004 07:56:14 PM +0530 Sandeep Singh Rawat [EMAIL PROTECTED] wrote: Are we able to run Explorer.exe using runas utility... Of course. You can run any binary using runas. You may have to use absolute paths, but that's a minor inconvenience. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
At 12:43 PM 11/22/2004, you wrote: Are we able to run Explorer.exe using runas utility... Of course. You can run any binary using runas. You may have to use absolute paths, but that's a minor inconvenience. Just to clear that up, depending which script/utility you are using to initiate the code you can use: %windir%\explorer.exe I remember dissecting a bit of malicious code attached to an email about 6 years ago. I remember thinking 'whoever wrote this can't be older than 12'. It had hardcoded c:\windows\...blah blah blah and c:\win95..blah blah blah I guess these were attempts to cover their bases. Why not just use %winnt% or %windir%? I adjusted the script with %windir%and it worked (I think it might have been WSH, but that would be Win98, but in any case I remember it worked). rp ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows user privileges
1. XP would be more suitable to run as a user if the runas service and windows installers were developed to add more complete and easy to use privilege elevation techniques outside of active directory and the default group policy that gets applied. 2. Due to the above, the power users group is more appropriate (for home / business laptop travelers(local machine only)). 3. Inside of a domain, or using the local users and groups snap in, the default user group for account creation is users. 4. The windows install creates the first user account as an administrator so that they may install programs and hardware without allot of hassle. This is in fact good for business over the alternative (which is to hassle most end users beyond their point of no return), no matter what the security implications, remember end users don't care (even if they should). 5. Considering that XP is run with admin privileges all over the world, it does quite well. Out of interest, I suspect that many of the people involved in this conversation, unless operating within a domain, are running as local administrators anyway. You don't really have any special reason to be doing so that makes you better than the end users you talk about; you do it because it is more convenient (and your an admin) than keeping runas sessions up of mmc, cmd, and control. (the equivalent to what would be more common on *nix systems with su). Thus is the more important point in the conversation, what is really required is the ability to use all the functionality without adding too many authentication processes. Most *nix configuration apps now ask for elevated credentials, which, in windows, only occurs inside of a AD Domain when using an Install Shield program along with a few other limited areas which successfully prompt the user for admin rights, but certainly not all things that should. There may be a group policy object which can make the install authentication rear its head at any install outside of a domain, but I have had no reason to look so far. Hardware operations authentication would also be necessary for an appropriate solution. For the end user, such a setup is still a pain even if it does prompt correctly. File and folder permissions are bewildering to most users, that is problem #1 when users install applications without setting the folder permissions correctly. The next problem is the running of applications inside of a runas service. A small nause of the process is that windowed applications do not get polled for refresh, so for example using an explorer instance in a runas will not update the file listing until you press F5 I have witnessed bad things come of this property already. As for fast user switching, that is not really appropriate either, as for a start it is a high system load process, and windows' caching routines are quite abusive when you start switching users alot (mass unnecessary paging effects on low memory systems). I see the problem as not so much a fault but more of an area which has not had enough development. Certainly end users should be more aware, but they never will be so some other solution should be saught. Nay, we are the people who are paid to produce such a solution. In this case, you should blame the user, you should fix their issue and produce a bill. a little more than my 2c. On Sat, 20 Nov 2004 19:28:13 -0600, Paul Schmehl [EMAIL PROTECTED] wrote: --On Saturday, November 20, 2004 8:19 AM -0500 Mike Hoye [EMAIL PROTECTED] wrote: On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with restore CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a User. Not once, ever. And this is a flaw of the *OS*? Or of the *OEM*? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
On Fri, Nov 19, 2004 at 04:19:49PM -0600, Paul Schmehl wrote: Windows has several groups. By default users are in the USERS group, *not* the ADMINISTRATORS group. On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. I would say that is more the fault of the configuration than anything. Probably cheaper for the OEMs to do it that way from a educational perspective, they don't have to teach the user anything, just say go. Joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
Dell gives the full OS cd and then a separate drivers CD, at least on the business side. Not sure about the home side. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hoye Sent: Saturday, November 20, 2004 7:19 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Windows user privileges On Fri, Nov 19, 2004 at 04:19:49PM -0600, Paul Schmehl wrote: Windows has several groups. By default users are in the USERS group, *not* the ADMINISTRATORS group. On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with restore CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a User. Not once, ever. It might make sense if you actually had knowledge of an OS before you criticize it. I don't think the question should be why is IRC still around, I think the question should be why is full-disclosure turning into IRC? - Mike Hoye -- Buy land. They've stopped making it. - Mark Twain ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows user privileges
They do the same on the home side. (Well, at least they did last time I bought a Dell laptop. Been a few years.) I was going to point this out too but you beat me to it. =) -- Peace. ~G On Sat, 20 Nov 2004 14:44:41 -0600, Todd Towles [EMAIL PROTECTED] wrote: Dell gives the full OS cd and then a separate drivers CD, at least on the business side. Not sure about the home side. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hoye Sent: Saturday, November 20, 2004 7:19 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Windows user privileges On Fri, Nov 19, 2004 at 04:19:49PM -0600, Paul Schmehl wrote: Windows has several groups. By default users are in the USERS group, *not* the ADMINISTRATORS group. On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with restore CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a User. Not once, ever. It might make sense if you actually had knowledge of an OS before you criticize it. I don't think the question should be why is IRC still around, I think the question should be why is full-disclosure turning into IRC? - Mike Hoye -- Buy land. They've stopped making it. - Mark Twain ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows user privileges
--On Saturday, November 20, 2004 8:19 AM -0500 Mike Hoye [EMAIL PROTECTED] wrote: On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with restore CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a User. Not once, ever. And this is a flaw of the *OS*? Or of the *OEM*? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
