Kurt Seifried, [email protected]


Like many people, I use Microsoft products on a regular basis, but having spent as much or more (probably more) time in Unix, I find certain things frustrating. In the Unix world, I take for granted the ability to set permissions on files and devices. While NT and 2000 have file permissions, you cannot easily restrict users' access to communications ports and removable media, for example.

I also want to be able to restrict what users can and cannot run. There are a number of ways to do this in Unix, with varying degrees of difficulty to implement and of effectiveness.

Another one of the (dis)advantages of Unix is the degree to which you can customize the OS and installation, from simple functions like making /tmp a separate partition to patching the kernel to prevent some buffer overflows. Almost none of these capabilities ship with Microsoft operating systems, or the security tools that are provided are typically weak or flawed.

Just a note: Normally I don't write hoo-rah-rah articles full of cheer and bonhomie, but every once in a while I do find a company building something very useful/usable that warrants covering. Next week I'll be going over some similar solutions for Linux. Let's face it, the default tools are often not enough to really secure a system.



It's a pity Microsoft doesn't harden its OS more. Most Unix platforms provide some form of protection against buffer overflows, and while they can typically be circumvented, the protection does raise the bar for attackers. With Solaris we have the file "/etc/system" with some interesting options such as:

set noexec_user_stack = 1
set noexec_stack_user_stack_log = 1

And for Linux there is the ever-popular Solar Designers patch, which can (among other things) help prevent buffer overflows. Until recently nothing like this existed for Windows, but there is now SecureStack. The cool thing is, you can get a free version of SecureStack that will report buffer overflows, but not stop them.

You would be well advised to at least install the free version, as it will give you an indication of attacks, etc. For any publicly accessible servers (such as IIS) or workstations, it is most likely a good investment, as these systems are the most likely to be exposed to hostile code. While it is unlikely SecureStack will prevent 100% of buffer overflow-based attacks, it will raise the bar and block many of the more common ones, giving you a bit of safety between the time exploit code is created, and a fix from Microsoft (or whichever vendor is in question).



Unless you seriously limit (or completely restrict) a user's ability to install software and access the Control Panel, you will be unable to prevent them from using their serial and parallel ports. Even if you do lock this down, by disabling the ports in Control Panel for example, any user that does need to use the parallel port or serial port will either need access to the Control Panel, or an admin to modify it. And of course you have to remember to disable the port after you're done, something that will likely be forgotten.

The same goes for removable media like floppy disks and CD-ROMs. Of course, many users will have legitimate needs for these, so any solution that controls access to them must easily allow use. In Unix this is pretty simple: create a group of users and assign them access to the appropriate device.

For Windows there is SecureNT (the name is a bit misleading — it works in Win9x as well). SecureNT lets you control access to communications ports and removable media. You can assign access to users and groups, centrally administer and control it. SecureNT also has some other cool features, like letting administrators specify that all data copied to a floppy disk be also placed in a directory for later perusal (to make sure confidential data hasn't been copied).

It's really too bad these features don't exist in Windows by default. If an attacker wants to copy masses of data off your network, it is often very simple to do so (use a floppy disk, parallel port CD burner, etc.), and it's also very easy for users to make "mistakes" like attaching a modem to their workstation so they can dial in from home (and not have to go through the hassle of getting access to the company dial-in pool).



One of the easiest ways to hack into a system is to have a batch file that creates a new administrator account, and get someone with administrative access to run it (just one reason why auditing and logging system events is so important).

This can be as simple as creating a desktop icon and telling the help desk, "every time I click on this I get a weird error." They come by, log in, run it, and presto, the batch file (or whatever Trojan) is run.

In addition, most companies want to control what users run. This is typically done by using system policies; however, these are very weak. Unless you give the full path to the executable, all an attacker needs to do is name their program "notepad.exe" (or something else the user is allowed to run). Even with the full path name to the executable, an attacker can overwrite a program the user is allowed to run with a Trojan — and this doesn't even touch on the problems with other kinds of executable content such as DLLs.

The SecureExe system uses not only the name and path of the program or file in question, but a SHA-1 digital signature, stored on a server. The system uses a kernel module that intercepts calls to things like DLLs, makes sure that the user in question is allowed to run the item, and that the signature matches. If the signature doesn't match, it won't be run and the violation will be logged.

This is useful not only for preventing people from running Trojans (accidentally or otherwise), but also for enforcing software versions. (If someone upgrades, it will "break" since the signatures do not match the old profile.)



This is (in my opinion) all stuff that should be available by default in Windows 9x/NT/2000. Unfortunately, it is not. The good news is that if you require the extra security, it is available — although I have no idea what the pricing is. Anyway, if you're paranoid you should probably contact them. If not, you should probably download SecureStack, since the demo is free and will tell you when someone exploits a buffer overflow.


Reference links: - SecureWave - SecureStack 1.0



Last updated 4/10/2001

Copyright Kurt Seifried 2001