base line XP kernal protection and folder protection, any?

Discussion in 'Security Software' started by jtgh, Feb 2, 2005.

  1. jtgh

    jtgh Guest

    Base line security:
    100% new hardware.
    new xp+sp2 pro
    no Domain,

    two accounts: admin and nobody
    admin is normal install admin.
    nobody is group USERs only.( no other groups assigned)

    Is is possible to have a user defined ( using builtin groups or custom)
    that will be locked out of the windows folder.
    To my knowledge , the answer is no. ( whole or in part)
    I wish this feature to protect the windows folders from a virus , etc.
    I am aware XP has a builtin protector but it has been breached by some
    worms already.
    Is there any 3rd party programs that will protect windows.?
    " OS Code Protector, etc "
    Is there any hope that Long horn will improve this issue?

    Print and file sharing is off, fire wall Sp2 is fully active and
    default.

    Thanks for any help.

    My goal is to protect folders from other users and to protect the
    windows folders from all by admin.
    PS:
    I am already aware that I , as a user can set my folders to only
    accessable by me and admin.
    I am not asking for Anti Virus or Antispy where as I have this in
    spades now.
     
    jtgh, Feb 2, 2005
    #1
    1. Advertisements

  2. Default settings give administrators full control of the \WINDOWS folder;
    users have only read and execute access. This is necessary so that the operating
    system will run.

    Steve Riley
     
    Steve Riley [MSFT], Feb 2, 2005
    #2
    1. Advertisements

  3. XP Pro already has the system folder locked down so that users have
    read/list/execute permissions which they need to use the operating system
    and applications. What " builtin protector " has been breached by worms??
    The firewall?? Firewalls are one part of a security plan and will happily
    let content through it that the user wants to download including malware.
    Other parts of a security plan would be strong passwords, antivirus program
    that is kept up to date and scans all emails, and keeping current with
    critical updates at Windows Updates. Since you are using XP Pro I would
    suggest Software Restriction Policies [available in Local Security policy]
    to lock down the computer further starting with a default disallowed rule.
    The link below explains more. --- Steve

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
     
    Steven L Umbach, Feb 3, 2005
    #3
  4. jtgh

    jtgh Guest

    yes, this is all standard procedure on the Windows boxes.
    When we must use a M$ OS , our systems are all protected via .
    the onion:
    hw, firewall.
    sw, firewall
    NAT , box routers
    AVG7
    Spybot13 , full scan, every day and full real-time. Teatime!
    adware1se , ditto
    M$ antispy beta , ditto
    Spysweep full version, ditto
    Logins, as USER (predefined group)
    Personal folders , locked. NTFS, 1 admin account.
    ( we use Linux, (suse9) for anything serious but some things require
    M$, like Autocad.etc)

    The windows protection is the "DLLCACHE protector engine built into the
    kernel"
    It protects the kernel but there are a few viruses that can attach this
    protection.

    We all know the we all have full protection, per above, but that is not
    the question, the question is how do we better protect the weak systems
    design.
    Just 1 week class in Linux kernel design and then windows will show you
    that
    The kernel (and its utilities ) are wide open (save the DLL cache,etc,
    protector).
    The difference is Linux uses intrinsic protection and MS uses , active
    real time protection. The M$ method can be attacked from many fronts,
    Memory, Kernel and the Protector itself. (to name a few). It is a
    kludge , carried forward for the inane reasons of legacy (x86 code).

    So the question is what techniques or aftermarket products (3rd party)
    can be used to better protect the \windows and \windows/systemx
    folders and registry files from attach.
    Other than the standard issue AV any Spyware protectors.
    Call it Kernel Lock or protector.

    The whole concept of applications writing the Root areas ( os kernel
    etc) is bankrupt.
    If nothing else , M$ should have moved the applications, part of the
    registry to a different file and , move it to a folder called
    Application data and have separate and obviously weaker protection on
    it. The OS would be completely protected.

    The design would be such that the core elements would be read only (
    save , admin accnt).

    Proactive , and less Reactive mind set.

    In conclusion , I do notice that most M$ people have already given up
    on a real OS.

    When one loads M$ windoz , it should ask only 1 question, Legacy BS or
    No Legacy BS. (bull scrud) , the latter would be a secure OS. ( as
    good as linux)

    My answer is as long as the topic is complex.

    Thanks for any help or direction. jtgh
     
    jtgh, Feb 4, 2005
    #4
  5. jtgh

    jtgh Guest

    window File Protector ( what it does and what it does not do )
    also see : System File Checker sfc.exe (boot scan)
    I assembeled this group to understand WFP.
    WFP
    the horses mouth (arce?):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;222193

    Note the M$ fails to note other means of attack, the kernal itself and
    WFP , can

    be attacked , not to mention the Update.exe, dllhost.exe, can be
    attacked.
    Or any virus that can run the regedit code and turn off WFP will be
    successful.
    Cmd.exe ?
    or WINLOGON.EXE or W32TM.EXE
    Why is it that M$ always understates the issues, ignorance, EGO, or are
    they just
    keeping the Hackers , ignorant. I just wonder.



    known successful attacks: ( direct or indirect) , just to name a few.
    Nachi Worm attacks the following file:
    C:\WINNT\system32\wins\dllhost.exe
    and
    virus <WORM.MSBLAST
    Win32.Wqk.C
    VBS.LOVELETTER Worm
    W32.Pinfi
    W32.Valla.2048
    Code Red worm

    TROJAN EXPLORER.EXE
    [First, the trojan program adds the value SFCDisable=0xFFFFFF9D
    to HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin.
    This registry setting completely disables the Windows File
    Protection (WFP) mechanism. WFP prevents the replacement of
    certain monitored system files. See the following for more info:
    http://support.microsoft.com/support/kb/articles/Q222/1/93.ASP]


    Links:
    http://groups-beta.google.com/group/microsoft.public.windowsxp.setup_deployment/b

    rowse_frm/thread/452843f86a37bcbc/fd4210a02427445f?q=WPF+++Windows+XP&_done=%2Fgr

    oups%3Fhl%3Den%26q%3DWPF+++Windows+XP%26qt_s%3DSearch+Groups%26&_doneTitle=Back+t

    o+Search&&d#fd4210a02427445f





    One known weakness:
    WFP will pop up an alert if you try to delete/rename a dllcache'd file
    on
    Windows 2000 Professional. ( under admin only)

    A workaround (my favorite) that I found posted somewhere was to do
    something
    like this:

    copy c:\winnt\system32\dllcache\notepad.exe
    c:\winnt\system32\dllcache\wscript.exe
    copy c:\winnt\system32\dllcache\notepad.exe
    c:\winnt\system32\dllcache\cscript.exe
    copy c:\winnt\system32\dllcache\notepad.exe
    c:\winnt\system32\wscript.exe
    copy c:\winnt\system32\dllcache\notepad.exe
    c:\winnt\system32\cscript.exe

    WFP is not intelligent enough to know when one protected file is
    overwritten
    with a copy of another. ( note a service pack may have cured this bug)

    Weakness 2:
    I just now have confirmed that WFP does not appear to check the
    checksum (crc, not checksum) of the file in the dllcache folder to see
    whether it

    has been altered by a local or remote attacker or a virus or worm, so
    this would
    appear to be a security issue.] ( a weakness and it WILL be our death)
    (reviewers note: checksum is useless technology, CRC ! ok?)

    food for thought:
    After reading a 1000 documents on Best Practices and the Doing them.
    Then why are you not using LINUX?
    that is the real question ( is it only fear of the unknown)?



    Links:

    http://groups-beta.google.com/group/microsoft.public.windowsxp.setup_deployment/b

    rowse_frm/thread/452843f86a37bcbc/fd4210a02427445f?q=WPF+++Windows+XP&_done=%2Fgr

    oups%3Fhl%3Den%26q%3DWPF+++Windows+XP%26qt_s%3DSearch+Groups%26&_doneTitle=Back+t

    o+Search&&d#fd4210a02427445f


    http://www.systemexperts.com/tutors/HardenW2K101.pdf

    http://securityadmin.info/faq.htm#harden

    http://www.nsa.gov/ < look for security templates.

    conclusion:
    Windows is doomed to its present design and as such , the WFP is the
    only hope.
    so , how can we make WFP bullet proof. ?
    Now that will be worth spending some time on.
     
    jtgh, Feb 4, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.