Current Permission Settings


To understand where you can harden the Windows operating system, you need to understand its current settings first. Table 3-8 lists the default security settings for Windows XP and Windows Server 2003 for the most interesting files and folders (permissions are inherited below unless noted).

The files under \Windows\System32 have two main permissions, as shown by Tables 3-9 and 3-10. It is interesting to note that the files in Table 3-10 cannot be directly accessed by Users and Power Users, but they can be by the Interactive group, which communicates the necessary Read & Execute permissions for non-Network users.

Table 3-9

\Windows\System32 Example Files with Permissions That Are: Users and Power Users-Read & Execute Administrators, System, and Creator Owners-Full Control

Acledit.dll, Adminpak.mis, Azman.dll, Browseui.dll, Clipsrv.exe, Dcpromo.exe, Diskmgmt.exe, Eventviewer.exe, Gpedit.exe, Kerberos.dll, Hal.dll, Kernel32.dll, Notepad.exe, Ntdll.dll, Ntds.dit,Ntoskrnl.exe, Progman.exe, Rasphone.exe, Rdpclip.exe, Regedt32.exe, Riched20.dll, Runonce.exe, Services.exe, Shell32.dll, Shscrpa.dll, Svchost.exe, Sysedit.exe, Systray.exe, Tlntsvr.exe, User32.dll, Userinit.dll, Win32k.sys, Winhlp.exe, Winlogon.exe, Winsock.dll, Winspool.exe, Wow32.dll, Wscript.exe, Wsoc32.dll

Table 3-10

\Windows\System32 Example Files with Permissions That Are: Interactive, Batch, Service-Read & Execute Administrators, System, and Creator Owners-Full Control

Append.exe, Arp.exe, At.exe, Bootcfg.exe, Calcs.exe, Chgusr.exe, Clip.exe, Cluster.exe, Cmd.exe (doesn't include Batch group), Command.exe, Comp.exe, Convert.exe, Debug.exe, Diskpart.exe, Diskperf.exe, Dsmove.exe, Edit.com, Edlin.exe, Eventtriggers.exe, Exe2bin.exe, Format.exe, Ftp.exe, Finger.exe, Gpresult.exe, Gpupdate.exe, Ntbackup.exe, Ntdsutil.exe, Openfiles.exe, Pathping.exe, Ping.exe, Powercfg.exe, Print.exe, Proxycfg.exe, Rasdial.exe, Rcp.exe, Recover.exe, Redir.exe, Reg.exe, Regsvr32.exe, Replace.exe, Reset.exe, Rexec.exe, Rsh.exe, Rsm.exe, Runas.exe, Sc.exe, Schtasks.exe, Share.exe, Taskkill.exe, Tasklist.exe, Telnet.exe, Tftp.exe, Tftpd.exe, Tskill.exe, Win.com, Wins.exe, Xcopy.exe

Any authenticated user can Read & Execute these files.

Because the Users group does not have access, but the Interactive group does, users connecting over the network (but not using RDP or Telnet), cannot Read & Execute these files remotely.

Interesting Points About Information in Tables 3-8 through 3-10

This section describes Tables 3-8 through 3-10.

%SystemDrive%

The permissions set in Tables 3-8 through 3-10 have the possibility of being inherited all the way down through the file system. The Everyone group is listed here has Read & Execute, but only to the folder. By default, the Everyone group has very few permissions to the rest of the file system (despite common misconceptions to the contrary). Creator Owner does have Full Control to any subfolders or files, and this permission is inherited below. Users can Read & Execute files and this permission is inherited below, but users cannot create files directly in the root directory.

Boot Files

Non-admin users do not have access to the boot files. While malware hasn't yet attacked these files, preventing non-admin access gives them additional security if your end users aren't logged in as administrators.

Program Files

By default, normal users only have Read & Execute permissions to the Program Files folder. This means they cannot modify existing programs or install new ones. In Windows NT 4.0, non-admin users could modify this directory and files. Often they had to because of the way applications, including Microsoft Office, were written. The Compatws.inf security template (covered in Chapter 14) gives Users Modify permissions if needed for legacy applications. One cautionary warning here: Terminal Server Users have Modify permissions by default. Terminal Server Users is a legacy group no longer needed in Terminal Server 2000 and 2003 versions, but it could still be present and used.

Windows and Windows\System32

As shown in Tables 3-8 and 3-9, by default, regular end users have Read & Execute permissions to all the files and folders in, and below, the Windows and Windows\System32 directories. These permissions are applied to dozens of files regular end users don't need access to. We will tighten those permissions in Chapter 5.

For reasons unknown to me at this time, the Everyone group is given access to the following files: Calc.exe, Clipbrd.exe, and Write.exe. Why did Microsoft single these out for special treatment? I don't know. It is more perplexing that Write.exe allows Everyone access, but Notepad.exe (even less likely to be used maliciously) doesn't. Just one of those Windows oddities.

System Volume

The System Volume Information (i.e., Sysvol) directory is used in Active Directory, but is installed even on stand-alone servers and Windows XP Pro. In XP, it is where System Restore stores its data. XP will spawn a new "System Volume Information" subtree on every new hard drive volume it sees, although not immediately — so it is usually possible to disable SR for that volume in time.

On non-domain controllers, it can contain miscellaneous items, such as log files. On a domain controller, it will contain group policy objects, File Replication Service (FRS) staging directories and files, user logon, logoff, startup, and shutdown scripts, file system junctions, and the Netlogon shared folder for pre-Windows 2000 computers. On Server 2003, Creator Owner, System, and Administrators have Full Control. In Windows XP, only the System account has access, so not even Administrators can access it.



Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net