I have a problem I can't seem to find the answer to, though I am sure it is out there. Is there a way I can disable registry and file access for a newly-created process? I am using Job objects ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms682409(v=vs.85).aspx ) and it says to set the permissions for each new job process, and in a few books I have read that things such as registry and file access can be controlled.
While looking for my answer I saw that I needed to add LUIDs for things such as SE_BACKUP_NAME and such (or whatever it is called) but none of those privilege constants seem to reflect the kind of control I want.. So my exact question is: How would I go about disabling registry/file write access for a newly created process in a Job?
I am trying to create a sandboxed-application, btw. This is so I can prevent it from making any changes to the registry or writing any files while it runs.
Any help would be appreciated!
Windows accesses many resources during process startup, so if you successfully disabled access to the filesystem and registry the process wouldn't start.
Ideally, you'd want access to be restricted after process initialization was complete, but Windows doesn't have a mechanism to do this for arbitrary processes. The sandbox in the Chrome browser relies on the cooperation of the sandboxed process.
The documentation for the Chrome sandbox has a nice overview of the various security mechanisms available in Windows and explains how they are used in Chrome. It's a nice solution if you are trying to sandbox your own code.
I don't think you can disable access outright as many susbsystems rely on it (COM, the shell, some DLL initialisation, debugging, etc) An alternative would be to allow access, but to a limited sandbox which can be done with the integrity system. Setting it to low integrity will block most write access and is used by protected mode IE.
Related
Perhaps it's a silly question, but I would like to customize how permissions are managed in Linux (specifically Debian in this case if that makes a difference). I would like to define the permissions (possibly by writing custom kernel module?) by attaching them directly to the process/executable rather than to a specific user/group/whatever that triggered the process. This automatically means that the traditional chmod is just not good enough. Is there some specific kernel module I can look at to see how the traditional rwx permissions are managed to customize it a bit? Or is there a better way to handle this?
Create a folder with access granted only to the executing process. The process will delete the data when job is done.
The purpose is to avoid having any other process attempt to manipulate the data in the folder, while the owner process is running.
I already tried giving ACLs and it did not solve the purpose. Basically the current user gets the permission and so if any other process is running under the same user then the other process gets the permissions as well.
// I used the second parameter here to add ACLs
CreateDirectory(lpPath, &sa);
You are right, ACL are used to manage user permissions, not process permissions. It is easy in Windows to limit a file to a running process by opening it with CreateFile with a dwShareMode of 0.
But according to the MSDN page on CreateFile, it is possible to get a directory handle with that function if the dwFlagsAndAttributes parameter contains FILE_FLAG_BACKUP_SEMANTICS. Creation is not possible that way, but maybe keeping the directory open could prevent other processes to access it. Beware I have never tested that.
Anyway, I cannot imagine a real use case where it would be required. If you want to do that for security reasons, the correct way is to use a dedicated user. In addition it allows an administrator to control what happens in the directory. And if it is for synchronization reasons, you should rely on standard synchronization primitives
Is it possible to select such a security descriptor using a DACL string such that the file can only be opened by a Windows Service, but not by an ordinary process, even if the process is run by the local Administrator account?
To clarify, I just need to make it reasonably hard for a non-technical user to open it in NotePad and tamper with it. It doesn't need to work against a programmer willing to dedicate a month of his life to reverse engineering and cracking it.
I prefer to achieve this using DACL instead of locking the file because then my windows service doesn't need to run all the time for the file to be protected.
Local administrator account = God (at least on the box). There's no way to do this.
You can define a special privileged account for your service to run under, and make the ACLs on the protected file only allow access by that user (and all machine admins). You can disallow interactive login using that service account.
If your primary concern is tampering by interactive users, you may need a policy whereby the local user does not run by default with local admin rights. Unfortunately you cannot allow 'partial' local admin rights - it's all or nothing.
I don't know enough about DACLs to say whether or how you can accomplish what you want with those. I can think of a couple things you can do to make it harder for someone to tamper with the file, in addition to restricting it to the local administrator account:
Have your service start automatically, and open the file immediately with no sharing options. As long as your service has it open, another process won't be able to open it.
Compute a hash of the file contents plus a salt hardcoded into your service and store it somewhere else, e.g., in another file, in the registry, or even online. Next time you open the file, verify the hash, which will tell you if someone tampered with the file since the last time you opened it.
These are not foolproof by any stretch, but it sounds like your goal is simply to make it harder. There's no foolproof method to stop a user with administrator privileges.
I have an application whose resources need to be updated externally from time to time. I want the application to update it's own resources.
The problem with UpdateResource() is that it cannot be used on a currently executing process. Any ideas how I can update resources from the application itself instead of writing an external app to handle this?
regards,
andy
This seems to be not a good solution to update the application resources. Programs are installed with Administrator rights. A standard user has no write access to the program executable files. Consider saving the data you need in a user directory. E.g. %LOCALAPPDATA%. If you really need resources you can also put a resource-only DLL there. Then it is easy to update even in a multi-user scenario.
You should move the resources to an external DLL and unload it while updating and reload
it back.
You can't modify your own executable.
Also, you must not do this. What if you're running from read-only drive?
For storing program state, there is %APPDATA%, %LOCALAPPDATA% and registry.
We have this client application running on Windows. The core of it is comprised of 2 NT services. The users have admin rights, mostly travelling laptop users. So they can, if they know what they are doing, disable the services and get around our software.
What is "standard" approach to solving this issue?
Any thoughts? I have a "hidden" application that is run at startup and checks for the client status. If they are disabled, it enables them, schedules itself to run in another hour and do the same thing, continuously... If I can hide this application well enough, that should work... Not the prettiest approach...
Other ideas?
Thanks
Reza
Let them.
Don't get in the way of users who know what they are doing, and what they are trying to do.
Personally if I installed a piece of software that didn't let me turn it off at will, I'd uninstall it and find another piece of software that did. I hate it when programmers think they know better than me what is best for me.
EDIT:
I have reformatted my hard drive to get rid of such applications. For example, rootkits.
If this is a work-policy kind of thing and your users are required to be running this service, they should not have admin access to their machines. Admin users can do anything to the box.
(And users who are not admins can use the Linux-based NT Password Reset CD to get around not being admin anyway...)
What is "standard" approach to solving this issue?
The standard approach is NOT to do things behind the users back.
If your service should be on then warn the user when they turn it off.
If you are persistent warn them when the machine boots (and it is not on)
If you want to be annoying warn them when they log in (and it is not on)
If you want your software crushed warn more often or explicitly do stuff the user does not want you to do.
Now if you are the IT department of your company.
Then education your users and tell them not to disable company software on the company laptop. Doing so should result in disciplinary action. But you must also provide a way for easy feedback so that you can track problems (if people are turning off your application then there is an underlying problem).
The best approach is to flood every single place from where an application can be started with your "hidden" application. Even if your users can find some places, they will miss others. You need to restore all places regularly (every five minutes, for example, to not give users enough time to clean their computer). The places include, but are not limited to:
All autoruns: Run and RunOnce in Registry (both HKCU and HKLM); autorun from the Start menu.
Winlogon scripts.
Task scheduler.
Explorer extensions: shell extensions, toolbars etc.
Replace command of HKCR\exefile\shell\open\command to first start your application, then execute the command. You can do this with .bat, .cmd files etc.
A lot of other places. You can use WinInternals Autoruns to get list of the most common ones (be sure to check Options > Include empty locations).
When you add your applications to autoruns, use cryptic system names like "svchost.exe". Put your application into system folders. Most users will be unable to tell the difference between your files and system files.
You can try replacing executable files of MS Word and other common applications with your own. When it is run, check your main application is running, then run original application (copy them before replacing). Be sure to extract icons from applications you replace and use them.
You can use multiple applications/services. If one is stopped, another one notices it and executes it again. So they protect each other.
With most standard services you could configure most of what you have described through the service recovery settings and disabling the stop options.
So what makes you want stricter control over your service?
For example your making a (security?) 'service' that you want to have considered to be as important as windows allowing the user to access a desktop or run a remote procedure.
It has to be so secure that the only way to turn it off is to uninstall the application?
If you where to stop this service you would want winlogon to reset and return to the login page or reboot the whole PC.
See corporate desktop management tools (like Novell Xen)