[THIN] Re: Installing Programs on the Server
- From: "Brian Murphy" <bem9127@xxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 6 Feb 2003 10:42:57 -0600
Ok. Thanks for the input. I had adjusted the perms for Everyone - No
Access.
However, I am planning on setting up a new test environment and running
the installation with FileMon and Regmon running. I'll let you know the
results.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Braebaum, Neil
Sent: Thursday, February 06, 2003 10:26 AM
To: 'thin@xxxxxxxxxxxxx'
Comments inline...
> -----Original Message-----
> From: Brian Murphy [mailto:bem9127@xxxxxxxxx]
> Sent: 06 February 2003 16:07
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Installing Programs on the Server
> Importance: Low
>
> Neil,
>
> It was installed to c:\Program Files\Hotbar
>
> Permissions:
> Admins = Full
> Users = RO
>
> There were some additional config files written to H: (Home Drives)
>
> I guess my theory is that the program was installed with elevated
> privileges. Although I don't have any data to suggest this. The
> permission set for c:\Program Files\ would not allow installation of a
> program by a normal user.
Then look at the owner and permissions on the files in the hotbar
directory (including the directory itelf). It should show who created it
(owner). And the permissions may show if it was assuming some other
user, or elevated privilege.
> > If you prevent access to these *discretionary* accessible resources,
> then users cannot install software onto the *local* > machine
> - how / where would it be installed to. They may have write access to
> their home (presumably
> > networked) directory, and they will almost certainly have
> write access
> to their local cache of their profile.
>
> If you have locked down local drives to Read-Only, HKLM\Software to
> Read-Only. You have confirmed that users cannot download content or
> install applications locally.
> What other "accessible resources" are we referring to?
Well as far as a server is concerned, the relevant resources are the
registry and the disk. If you're assumption is that something subverted
the OS's security model, and assumed higher privileges, without the
appropriate credentials being supplied - I'm not saying I don't believe
it, and it's not possible - but you have to admit, it does strike you as
being rather out-there.
Regardless, anything new (folders / files, or registry keys) will show
the owner (assuming it hasn't been changed since).
> All of this has been done and the Hotbar would still install.
> Is it possible the installation routine is running with elevated
> priveledges?
>
> Or, am I missing something else?
If something can this easily bypass the OS's security model, without
supplying appropriate credentials - you would have to worry. There
should be something detectable, though.
Check the owner and the DACLs for the files / folders.
Neil
***********************************************************************
This e-mail and its attachments are intended for the above named
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based on them,
nor must you copy or disclose them or any part of their contents to any
person or organisation; please notify the sender immediately and delete
this e-mail and its attachments from your computer system.
Please note that Internet communications are not necessarily secure and
may be changed, intercepted or corrupted. We advise that you understand
and observe this lack of security when e-mailing us and we will not
accept any liability for any such changes, interceptions or corruptions.
Although we have taken steps to ensure that this e-mail and its
attachments are free from any virus, we advise that in keeping with good
computing practice the recipient should ensure they are actually virus
free.
Copyright in this e-mail and attachments created by us belongs to
Littlewoods.
Littlewoods takes steps to prohibit the transmission of offensive,
obscene or discriminatory material. If this message contains
inappropriate material please forward the e-mail intact to
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated.
Statements and opinions contained in this e-mail may not necessarily
represent those of Littlewoods.
Please note that e-mail communication may be monitored.
Registered office:
Littlewoods Retail Limited,
Sir John Moores Building,
100 Old Hall Street,
Liverpool,
L70 1AB
Registered no: 421258
http://www.littlewoods.com
***********************************************************************
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration of your Terminal Servers.
http://www.triCerat.com
********************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thethin.net/citrixlist.cfm
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration
of your Terminal Servers.
http://www.triCerat.com
********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
