From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0370_01C6AD62.05304E90
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   You can adjust your token and run any process to run with the =
modified token.  It may or may not make you safer.  In the case of IE, = it
is running on your desktop/window station and these are a security =
boundry.  Your limited token IE process can still exchange messages with =
non-token adjusted processes.  This is why Vista has UIPI to go with = LUA.

   I believe the deny to which you refer is the =
SE_GROUP_USE_FOR_DENY_ONLY attribute.  The reason for this is that some =
ACL may deny access to members of a group.  If you could remove that SID =
from your token you could bypass that denial.  For this reason what =
happens is that the SID gets marked as deny only.  When evaluating an = ACL
the SID is not considered for access grants but is considered for =
denials.

Rich
  "John Beckett" 
wrote in message =
news:vmq3c21dr7ffm67p6rhv1au3cedsu4db0c{at}4ax.com...
  "Rich"  wrote in message news::
  > One reason for privileges to be disabled by default is so that an
  > application can not unintentionally exploit a privilege.

  Ahh! So, for example, if I write a program that backs up some files, =
if
  that is all the program does, then it will only backup files for which =
the
  user has Read permission.

  If the program was intended to backup access-denied files, then the
  program would have to first enable the backup right (which the user =
would
  need to have been granted).

  > Beyond enabling and disabling, there is a mechanism to remove
  > privileges from a token.

  As it happens, it was studying the article on DropMyRights by Michael
  Howard ("Browsing the Web and Reading E-mail Safely as an =
Administrator")
  that re-kindled my interest in this topic.

  According to ProcExp (Sysinternals Process Explorer), I can log on as =
an
  administrator, yet run Internet Explorer as a user (I used the
  DropMyRights article to set a Software Restriction Policy to run
  iexplore.exe with Basic User security level).

  ProcExp shows the iexplore.exe process, including Security Properties:
      Group: BUILTIN\Administrators
      Flags: Deny, Owner

  I tried to work out exactly what this meant (studying MSDN + Google).

  I gather that the Owner flag indicates that if this process creates an
  object, then the owner of that object will be set to the SID for
  BUILTIN\Administrators.

  I haven't work out exactly what the Deny flag means. It seems to me =
that
  it must be different from the "mechanism to remove privileges from a
  token" that you mention (browsing MSDN suggests that you may be =
referring
  to calling AdjustTokenPrivileges with NewState =3D =
SE_PRIVILEGE_REMOVED,
  which I gather physically removes the privilege from the token, in =
which
  case ProcExp couldn't list it).

  Experiment shows that a file that allows Read permission to =
Administrators
  and Authenticated Users _can_ be read by the restricted iexplore.

  However, a file that allows Read permission only to Administrators
  _cannot_ be read by the restricted iexplore.

  My guess is that the "Deny" flag in the security token for the
  Administrators SID means that an attempt to access an object by a =
process
  will fail, if the attempt relies on matching the Administrators SID in =
the
  object's DACL. However, if the DACL contains an ACE allowing access to
  some other SID in the token, then the access is allowed.

  Have I got this roughly right?

  > I describe this as defense in depth and not anything stronger =
because
  > it may not be difficult to work around if the exploited process can =
get
  > another process to do its dirty work for it.  It can't use a new =
child
  > process as that will inherit the same token but it may be able to
  > use one already running.

  Interesting. One technique I guess would be a shatter attack, and =
since
  the system is pretty complex, no doubt some more.

  Thanks,
  John

------=_NextPart_000_0370_01C6AD62.05304E90
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   You can
adjust your token =
and run any=20
process to run with the modified token.  It may or may not make you =

safer.  In the case of IE, it is running on your desktop/window =
station and=20
these are a security boundry.  Your limited token IE process can = still=20
exchange messages with non-token adjusted processes.  This is why
= Vista has=20
UIPI to go with LUA.
 
   I believe
the deny to =
which you refer=20
is the SE_GROUP_USE_FOR_DENY_ONLY attribute.  The reason for this
= is that=20
some ACL may deny access to members of a group.  If you could =
remove that=20
SID from your token you could bypass that denial.  For this reason = what=20
happens is that the SID gets marked as deny only.  When evaluating
= an ACL=20
the SID is not considered for access grants but is considered for=20
denials.
 
Rich

  "John Beckett" <FirstnameSurname{at}com=">mailto:FirstnameSurname{at}compuserve.com.omit">FirstnameSurname{at}com=
puserve.com.omit>=20
  wrote in message news:vmq3c21dr7f=
fm67p6rhv1au3cedsu4db0c{at}4ax.com..."Rich"=20
  <{at}> wrote in message >=20
  One reason for privileges to be disabled by default is so that =
an>=20
  application can not unintentionally exploit a privilege.Ahh! =
So, for=20
  example, if I write a program that backs up some files, ifthat is =
all the=20
  program does, then it will only backup files for which theuser has =
Read=20
  permission.If the program was intended to backup
access-denied =
files,=20
  then theprogram would have to first enable the backup right (which =
the=20
  user wouldneed to have been
granted).> Beyond enabling =
and=20
  disabling, there is a mechanism to remove> privileges from a=20
  token.As it happens, it was studying the article on =
DropMyRights by=20
  MichaelHoward ("Browsing the Web and Reading E-mail Safely as an=20
  Administrator")that re-kindled my interest in this =
topic.According=20
  to ProcExp (Sysinternals Process Explorer), I can log on as=20
  anadministrator, yet run Internet Explorer as a user (I used=20
  theDropMyRights article to set a Software Restriction Policy to=20
  runiexplore.exe with Basic User security
level).ProcExp =
shows the=20
  iexplore.exe process, including Security =
Properties:   =20
  Group: BUILTIN\Administrators   
Flags: Deny,=20
  OwnerI tried to work out exactly what this meant (studying =
MSDN +=20
  Google).I gather that the Owner flag indicates that if this =
process=20
  creates anobject, then the owner of that object will be set to the =
SID=20
  forBUILTIN\Administrators.I haven't work
out exactly what =
the Deny=20
  flag means. It seems to me thatit must be different from the =
"mechanism to=20
  remove privileges from atoken" that you mention (browsing MSDN =
suggests=20
  that you may be referringto calling AdjustTokenPrivileges with =
NewState =3D=20
  SE_PRIVILEGE_REMOVED,which I gather physically removes the =
privilege from=20
  the token, in whichcase ProcExp couldn't list =
it).Experiment shows=20
  that a file that allows Read permission to Administratorsand =
Authenticated=20
  Users _can_ be read by the restricted
iexplore.However, a file =
that=20
  allows Read permission only to Administrators_cannot_ be read by =
the=20
  restricted iexplore.My guess is that the
"Deny" flag in the =
security=20
  token for theAdministrators SID means that an attempt to access an =
object=20
  by a processwill fail, if the attempt relies on matching the=20
  Administrators SID in theobject's DACL. However, if the DACL =
contains an=20
  ACE allowing access tosome other SID in the token, then the access =
is=20
  allowed.Have I got this roughly
right?> I describe =
this as=20
  defense in depth and not anything stronger because> it may not =
be=20
  difficult to work around if the exploited process can get> =
another=20
  process to do its dirty work for it.  It can't use a new =
child>=20
  process as that will inherit the same token but it may be able =
to> use=20
  one already running.Interesting. One technique I guess would =
be a=20
  shatter attack, and sincethe system is pretty complex, no doubt =
some=20
 
more.Thanks,John

------=_NextPart_000_0370_01C6AD62.05304E90--

--- BBBS/NT v4.01 Flag-5