Restricting Certain Binaries - Steve?

[John]

Steve, can you please comment on this?

http://www.uksecurityonline.com/husdg/windows2000/binaries.htm

I changed the permissions on all these executables from

Administrators : full control
System : full control

to

Administrators: full control


I did this after reading that many of these viruses are able to obtain
system privelege somehow. I have eliminated remote logons for everyone,
and used passprop.exe to do the same for administrator.

Since I log onto this machine using a normal "user" account I cannot
execute any of these binaries from my desktop. If a virus executes
while I am logged on under my "user authority" I think the virus won't
be able to execute any of them either, neither will it be able to
execute them even if it somehow gets "system" authority.

Is this a step in the right direction? How is a virus able to obtain
system authority anyway?

Thank you.

John

 

[Steven Umbach]

Hi John.

I have never implemented that technique [nor have I configured a dmz bastion
host"] though I have read about it in a couple books including the Oreilly book
on building a bastion host. It may be a bit overkill for most situations [where
you are not offering services to internet users], but another layer of security
is always a good thing if you maintain an acceptable level of functionality for
your purpose. Of course it makes sense to take all other precautions first to
avoid hackers/worms including a properly configured firewall, critical patch
management, antivirus software, complex passwords, account lockout policy,
ntfs/share permissions, eliminating unnecessary services, etc. For instance if
you are not offering shares on your computer and do not need to manage it
remotely via Computer Management it makes sense to uninstall file and print
sharing. If you do need file and print sharing, you can remove the
administrators group from the "access this computer from the network" user right
assignment which would make it much more difficult for hackers if your firewall
becomes micsonfigured.

I notice that the IISlockdown tool for computers running IIS adds the
iusr_machinename account to may \system32 binaries with a deny permission to
protect the computer from hackers. I read one book by Phil Cox, and the info is
in a link below though, where he recommends removing system and administrators
from those files and adding a group instead that membership can be controlled
with select user accounts in the local administrators group. Keep in mind that
applying a service pack, etc may overwrite those files with versions that have
default permissions and of course trying to remove them may be futile as Windows
File Protection will replace many.

http://www.systemexperts.com/tutors/HardenW2K101.pdf

Yes I definitely think you are taking look at good ways to secure your computer
and it can be an interesting and fun process. The biggest threat for most users
continues to be through email attachments which I bet you are real careful
about. I don't know exactly how an attacker or worm gets system control. But I
do know that is why keeping critical updates is so important to prevent
know/newly discovered vulnerabilities to the operating system from being
exploited to do such. I read the term "buffer overflow" a lot when I hear about
how an operating system is severely compromised, see an example in the link
below. --- Steve

http://www.cert.org/advisories/CA-2003-09.html

 

[John]

Hi John.

I have never implemented that technique [nor have I configured a dmz bastion
host"] though I have read about it in a couple books including the Oreilly book
on building a bastion host. It may be a bit overkill for most situations [where
you are not offering services to internet users], but another layer of security
is always a good thing if you maintain an acceptable level of functionality for
your purpose. Of course it makes sense to take all other precautions first to
avoid hackers/worms including a properly configured firewall, critical patch
management, antivirus software, complex passwords, account lockout policy,
ntfs/share permissions, eliminating unnecessary services, etc. For instance if
you are not offering shares on your computer and do not need to manage it
remotely via Computer Management it makes sense to uninstall file and print
sharing. If you do need file and print sharing, you can remove the
administrators group from the "access this computer from the network" user right
assignment which would make it much more difficult for hackers if your firewall
becomes micsonfigured.

I notice that the IISlockdown tool for computers running IIS adds the
iusr_machinename account to may \system32 binaries with a deny permission to
protect the computer from hackers. I read one book by Phil Cox, and the info is
in a link below though, where he recommends removing system and administrators
from those files and adding a group instead that membership can be controlled
with select user accounts in the local administrators group. Keep in mind that
applying a service pack, etc may overwrite those files with versions that have
default permissions and of course trying to remove them may be futile as Windows
File Protection will replace many.

http://www.systemexperts.com/tutors/HardenW2K101.pdf

Yes I definitely think you are taking look at good ways to secure your computer
and it can be an interesting and fun process. The biggest threat for most users
continues to be through email attachments which I bet you are real careful
about. I don't know exactly how an attacker or worm gets system control. But I
do know that is why keeping critical updates is so important to prevent
know/newly discovered vulnerabilities to the operating system from being
exploited to do such. I read the term "buffer overflow" a lot when I hear about
how an operating system is severely compromised, see an example in the link
below. --- Steve

http://www.cert.org/advisories/CA-2003-09.html

(after a short intermission to re-install everything)

"Interesting" is the right word. I destabilized the regime in my C
drive - probably trying to make too many changes too fast. Ah well,
after you do it a few times (re-install) you get good at it.

My security level is hugely better than it was a couple of weeks ago
when I started this whole process. Yup, I have a better appreciation of
things to do and things to *not* do.

The Sygate site mentions "buffer overflow" as the main attack technique
too. My trusty Sygate personal firewall can easily deal with that
gambit . Seriously, this process has made me appreciate the value of
adequate backup procedures - in case the barbarians storm the gates and
burn you to the ground.

Thanks again for all your good stuff Steve.

John.