Summary


A Note on Modifying System Files

During some of the early betas of Vista, I am told-I wasn't yet investigating Windows Integrity Controls so I can't personally verify it-that Microsoft labeled all of the Windows system files with, not surprisingly, the "system" integrity level. This apparently caused no end of heartache to beta testers because whenever a new version of the Vista beta appeared, those testers-who were logged on as administrators and therefore running mere high integrity processes-could not delete the old operating system. A person inside Microsoft told me that someone there had created an application called obliterate.exe that was the only thing that could wipe old Vistas off a hard disk.

Needless to say, having to run an unsupported in-house application to remove a copy of Windows from a hard disk was not popular. Particularly inasmuch as the millions of beta testers did not receive a copy of that apocryphal tool, Microsoft tried another tack in protecting operating system files, a quite significant if quietly done one: they completely rebuilt the default NTFS file permissions on things in the \Windows directory.

In Window Server 2003 and XP, the default permissions for the \Windows directory for the Administrators group was a simple "Full Control." The owner of the \Windows directory was the aforementioned Administrators group as well. In Vista, things are a lot different, as you can see in Figure 4.9.

image from book
Figure 4.9: New default permissions on the \Windows directory

First of all, Vista's \Windows folder does not inherit any permissions from the root directory. Microsoft (probably wisely) set up your operating system's hard disk so that any loosening of the permissions on C: (or whatever drive you put your OS on) will not loosen the Windows permissions a whit. In the \Windows folder, the local Administrators group has almost full control, but lacks permissions to

  • Delete subfolders and files

  • Change permissions

  • Take ownership

This is a very subtle but powerful change in a few ways. First, these permissions do not inherit to subfolders as is normally the case; they only apply to the \Windows folder. Microsoft did that because they've been very closely fine-tuning the NTFS permissions on the Windows folder. And notice the other two: "change permissions" and "take ownership." Where have we seen this before? Yeah, you've got it-those are the permissions needed to change a file's integrity level. I guess Microsoft's aim here was to set things up so that an administrator running in elevated mode who inadvertently ran something that tried to lower the integrity level or in fact loosen the permissions of any of the operating system files in \Windows would trip a few alarms. (Of course, it also caused me some heartburn the first time I tried to change notepad.exe 's integrity level to high when trying to construct a useful example!)

But it doesn't stop there. Ready for the really big change? We Administrators are no longer the owners of the \Windows directory for the first time in, well, ever, from the Windows point of view. (Ah, that's what's been giving me the creeps about Vista. I knew this thing didn't treat me like The Boss as the old operating systems did. And no, I wasn't referring to Bruce Springsteen.)

Those changes continue as we move down to System32. Again, Microsoft has removed any inherited permissions on System32 and hand-tuned them. This happens also in a number of other folders, including Drivers. Apparently Microsoft is thinking, as with the \Windows folder, that disconnecting inheritance will greatly slow down any malware that seeks to borrow an administrator's powers to open up the entire \Windows directory in one fell swoop. Once again, each directory does not give Administrators the ability to delete files and subfolders, change permissions or take ownership.

Was this a good change? Some will argue yes, some no, but I know one thing: this will cause more than a few heated discussions around the water cooler or, more likely, the beer pitcher. Let me try to summarize what the two points of view will probably be.

Those who say that it's a bad idea will name, or at least be thinking, a few things:

  • First of all, pre-built permissions that don't make admins the owners of a system are a pain in the neck for administrators who are used to being able to do anything that they want on their systems. (Imagine loud emphasis on the word "their," accompanied by a pound or two on the table. There might even be a one-word pleading to their favorite deity thrown somewhere.) This is the "dang, this is going to make my work harder" reason. And, speaking as an admin of several decades, they're right.

  • Second, they will argue, also correctly, that any computer criminal worth his salt will just take ownership of \Windows, give himself full control, and then move on to \Label\ system3 2 and do the same, and then \Label\system32\drivers, and so on. There is, they will argue, no structural barrier to an administrator taking control of a Windows system, just the irritation factor of having to do dozens of things to take that control, rather than having it immediately handed to him. True hackers, they will argue, would be attracted to the challenge of cracking a Vista box. I'm not so sure about this argument, but I've heard it.

    On the other hand, those who like the changes will argue that

  • These barriers are not insurmountable, but they do exist. They're sort of like tripwires: they don't stop you, but they do sound the klaxons that there's someone trying to do a Bad Thing to the system. Better yet, they're a simple barrier that remind us that we're treading in dangerous waters, a simple reminder to the well-intentioned but perhaps inattentive administrator that "oops, that wasn't what I meant to do." In fact, speaking of tripwires, this might be just the sort of thing that the new Event Viewer's event triggers capabilities were built for.

  • Obstacles don't have to be perfect to be effective because after all, no obstacle is perfect. The vast majority of attacks on a system aren't dedicated hackers. They are, instead, just some mindless worm, bot, or just something that some pathetic script kiddie found on the Internet and is trying to hack you with because, well, you and he are on the same cable modem trunk.

Who's right? I don't know. But personally I side with the latter group. There's an old quip that "to err is human, but to really screw things up requires a computer." Simple missteps can mean serious damage, so I'd argue that a few "are you sure's" now and then aren't the worst thing in the world.

And besides, it's not like you can no longer control your system. If you want to restore your Vista system to the Good Old Days of administrators' owning the \Windows directory and having full control of all of its folders, then that's entirely possible-after all, there's nothing stopping you from taking ownership of those folders, as that's a privilege that administrators always have.




Administering Windows Vista Security. The Big Surprises
Administering Windows Vista Security: The Big Surprises
ISBN: 0470108320
EAN: 2147483647
Year: 2004
Pages: 101

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net