From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0330_01C6AD05.B82B1230
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   What OS are you running and where did you get whoami.exe?  The output =
on Windows XP and Windows Server 2003 should look like

  C:\>whoami /priv

  PRIVILEGES INFORMATION
  ----------------------

  Privilege Name                  Description                            =
   State
  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D
  SeChangeNotifyPrivilege         Bypass traverse checking               =
   Enabled
  SeSecurityPrivilege             Manage auditing and security log       =
   Disabled


One reason for privileges to be disabled by default is so that an =
application can not unintentionally exploit a privilege.  It is not to =
protect against malware which if running code on your system can do =
anything you can do.

Beyond enabling and disabling, there is a mechanism to remove privileges =
from a token.  When a privilege is removed it can not be restored.  This =
is a defense in depth.  If that process is exploited the removed =
privilege can not be used.  I describe this as defense in depth and not =
anything stronger because it may not be difficult to work around if the =
exploited process can get another process to do its dirty work for it.  =
It can't use a new child process as that will inherit the same token but =
it may be able to use one already running.

Rich

  "John Beckett" 
wrote in message =
news:ftv2c2dt8he6n2al2d21pagi0hnkhg0l54{at}4ax.com...
  I'm trying to understand the output of 'whoami /priv'.
  For example, for a member of Administrators:

  C:\> whoami /priv

  (X) SeChangeNotifyPrivilege  =3D Bypass traverse checking
  (O) SeSecurityPrivilege      =3D Manage auditing and security log
  ...(other lines omitted)...

  Apparently:
  (X) means I have that right, and it is enabled.
  (O) means I have that right, but it is currently disabled.

  If I ran a program to manage auditing, that program should:
  - Enable SeSecurityPrivilege (abort if error).
  - Manage auditing.
  - Disable SeSecurityPrivilege to restore setting, when finished.

  I understand "defense in depth", and the common sense of only =
switching
  the safety catch off when you need to use the gun, but is there any =
more
  behind the reason that most privileges are disabled?

  I'm wondering if there is a scenario that provides a real security =
benefit
  from having various privileges disabled (apart from requiring malware =
to
  have an extra couple of lines of code to first enable the privilege).
  Perhaps if I spawn a process or thread, that process or thread would
  default to NOT have the privilege under some circumstances??

  John

------=_NextPart_000_0330_01C6AD05.B82B1230
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   What OS
are you running =
and where did=20
you get whoami.exe?  The output on Windows XP and Windows Server = 2003=20
should look like

   
  C:\>whoami
/priv
   
  PRIVILEGES=20
  INFORMATION----------------------
   
  Privilege=20
  =
Name           &nb=
sp;     =20
  =
Description          &n=
bsp;           &nb=
sp;       =20
  =
State=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
  =
=3D=3D=3D=3D=3D=3D=3D=3DSeChangeNotifyPrivilege   &nbs=
p;    =20
  Bypass traverse=20
  =
checking           =
;      =20
  =
EnabledSeSecurityPrivilege       &=
nbsp;    =20
  Manage auditing and security=20
 
log         =20
  Disabled
 
One reason for privileges to be =
disabled by default=20
is so that an application can not unintentionally exploit a =
privilege.  It=20
is not to protect against malware which if running code on your system = can do=20
anything you can do.
 
Beyond enabling and disabling,
there is =
a mechanism=20
to remove privileges from a token.  When a privilege is removed it
= can not=20
be restored.  This is a defense in depth.  If that
process is=20 exploited the removed privilege can not be used.  I
describe this = as=20
defense in depth and not anything stronger because it may not be = difficult to=20
work around if the exploited process can get another process to do its = dirty=20
work for it.  It can't use a new child process as that will inherit = the=20
same token but it may be able to use one already running.
 
Rich
 

  "John Beckett" <FirstnameSurname{at}com=">mailto:FirstnameSurname{at}compuserve.com.omit">FirstnameSurname{at}com=
puserve.com.omit>=20
  wrote in message news:ftv2c2dt8he=
6n2al2d21pagi0hnkhg0l54{at}4ax.com...I'm=20
  trying to understand the output of 'whoami /priv'.For example, for =
a=20
  member of Administrators:C:\> whoami
/priv(X)=20
  SeChangeNotifyPrivilege  =3D Bypass traverse checking(O)=20
  SeSecurityPrivilege      =3D
Manage auditing =
and=20
  security log...(other lines
omitted)...Apparently:(X) =
means I=20
  have that right, and it is enabled.(O) means I have that right, =
but it is=20
  currently disabled.If I ran a program to manage
auditing, that =
program=20
  should:- Enable SeSecurityPrivilege (abort if
error).- Manage=20
  auditing.- Disable SeSecurityPrivilege to restore setting, when=20
  finished.I understand "defense in depth",
and the common sense =
of only=20
  switchingthe safety catch off when you need to use the gun, but is =
there=20
  any morebehind the reason that most privileges are =
disabled?I'm=20
  wondering if there is a scenario that provides a real security =
benefitfrom=20
  having various privileges disabled (apart from requiring malware =
tohave an=20
  extra couple of lines of code to first enable the =
privilege).Perhaps if I=20
  spawn a process or thread, that process or thread woulddefault to =
NOT have=20
  the privilege under some=20
circumstances??John

------=_NextPart_000_0330_01C6AD05.B82B1230--

--- BBBS/NT v4.01 Flag-5