[THIN] Re: Installing Programs on the Server

Comments inline...

> -----Original Message-----
> From: Brian Murphy [mailto:bem9127@xxxxxxxxx] 
> Sent: 06 February 2003 16:07
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Installing Programs on the Server
> Importance: Low
> 
> Neil,
> 
> It was installed to c:\Program Files\Hotbar
> 
> Permissions:
> Admins = Full
> Users = RO
> 
> There were some additional config files written to H: (Home Drives)
> 
> I guess my theory is that the program was installed with 
> elevated privileges.  Although I don't have any data to 
> suggest this.  The permission set for c:\Program Files\ would 
> not allow installation of a program by a normal user.

Then look at the owner and permissions on the files in the hotbar directory
(including the directory itelf). It should show who created it (owner). And
the permissions may show if it was assuming some other user, or elevated
privilege.

> > If you prevent access to these *discretionary* accessible resources,
> then users cannot install software onto the *local* > machine 
> - how / where would it be installed to. They may have write 
> access to their home (presumably
> > networked) directory, and they will almost certainly have 
> write access
> to their local cache of their profile.
> 
> If you have locked down local drives to Read-Only, 
> HKLM\Software to Read-Only.  You have confirmed that users 
> cannot download content or install applications locally.  
> What other "accessible resources" are we referring to?

Well as far as a server is concerned, the relevant resources are the
registry and the disk. If you're assumption is that something subverted the
OS's security model, and assumed higher privileges, without the appropriate
credentials being supplied - I'm not saying I don't believe it, and it's not
possible - but you have to admit, it does strike you as being rather
out-there.

Regardless, anything new (folders / files, or registry keys) will show the
owner (assuming it hasn't been changed since).

> All of this has been done and the Hotbar would still install. 
>  Is it possible the installation routine is running with 
> elevated priveledges?
> 
> Or, am I missing something else?

If something can this easily bypass the OS's security model, without
supplying appropriate credentials - you would have to worry. There should be
something detectable, though.

Check the owner and the DACLs for the files / folders.

Neil

***********************************************************************
This e-mail and its attachments are intended for the above named 
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based 
on them, nor must you copy or disclose them or any part of 
their contents to any person or organisation; please notify the 
sender immediately and delete this e-mail and its attachments from 
your computer system.

Please note that Internet communications are not necessarily secure 
and may be changed, intercepted or corrupted. We advise that 
you understand and observe this lack of security when e-mailing us 
and we will not accept any liability for any such changes, 
interceptions or corruptions. 

Although we have taken steps to ensure that this e-mail and its 
attachments are free from any virus, we advise that in keeping 
with good computing practice the recipient should ensure they 
are actually virus free.

Copyright in this e-mail and attachments created by us belongs 
to Littlewoods. 

Littlewoods takes steps to prohibit the transmission of offensive, 
obscene or discriminatory material.  If this message contains 
inappropriate material please forward the e-mail intact to 
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. 
Statements and opinions contained in this e-mail may not 
necessarily represent those of Littlewoods.

Please note that e-mail communication may be monitored.

Registered office: 
Littlewoods Retail Limited, 
Sir John Moores Building, 
100 Old Hall Street, 
Liverpool,
L70 1AB 
Registered no: 421258  

http://www.littlewoods.com 
***********************************************************************
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration 
of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: