In association with heise online

Universal object protection

Although the discussion has so far mainly been about files, the access protection offered by integrity levels is much more far-reaching and extends to all possible objects on the system. Thus, whatever applies to files also applies to the registry, and this includes container and object inheritance. With the command line option -k, AccessChk shows access rights in the registry rather than in the file system.

Process security descriptors
Zoom Processes are also objects with security descriptors that determine individual access rights

Processes are objects as well. They have a special role because, on the one hand, they can act as subjects making use of their access tokens and, on the other, as objects they possess a security descriptor which describes what others may do with them. If one process wants to access another in memory then, whether this is allowed or not depends on the access token of the requesting process and the security descriptor of the process being accessed.

In Process Explorer, the information from the security descriptor of a process is concealed behind the "Permissions" button on the "Security" tab. From there, the "Advanced" button leads to a dialog which shows the DACL of the process under the "Permissions" tab. By clicking on the "View/Edit" button for an entry, the rights finally come into view.

However, Process Explorer does not show the integrity level in the SACL of a process and its access flag. This information is revealed by AccessChk by invoking

accesschk -p *

and preferably with administrator rights so that it also recognises the system processes. As you can see, all the processes have not only set "No Write Up" but also "No Read Up". This prevents any trojans which may have snuck into memory via Internet Explorer from examining other processes and possibly stealing passwords.

Confidential

In order to conceal confidential data from Internet Explorer, it is necessary to set the access flags "No Read Up" and "No Execute Up" in the file system as well. This is difficult using the built-in tools. Although icacls can display them, there is no option to set them. If necessary, it is possible to do it by probing into the Security Descriptor Definition Language SDDL, saving the ACL with the icacls option /save, manipulating it with a Unicode-capable editor (Notepad is not suitable) and reinstating it with /restore, but it is easier to use the Chml utility from Mark Minasi.

On a command line which is started with administrator rights, the command

chml secret -i:m -nw -nr -nx

sets the folder "secret" to Medium integrity level with access flags No Write Up, No Read Up and No Execute Up. Unlike icacls, Chml normally activates the inheritance; the option -noinherit prevents this if you want. Using a command interpreter which is started on integrity level Low as described above, you can make sure that it is now no longer possible to look in this folder.

Print Version | Permalink: http://h-online.com/-747209
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit