A Windows Alternative to Linux Security Modules? 54
Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"
Voila (Score:3, Interesting)
User Access Controls [microsoft.com]
SANS Top 20 [sans.org] (worth reading)
Windows Server 2003 Security Guide [microsoft.com]
Overview of the Windows 2003 Server [microsoft.com]
You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.
DropMyRights (Score:3, Interesting)
I don't know much at all about the subject, but check out DropMyRights [microsoft.com], by Michael Howard, a security guy at Microsoft.
It's basically sample code, rather than a full solution, but it might give you a starting point.
Also ask Google about the .Net Framework's security model - in particular "code access security." From here [microsoft.com]:
Cheers.
It's called WINE, and there are other ways (Score:4, Interesting)
Or run WINE under a different OS (e.g. OpenBSD [openbsd.org]) or emulator if you want different security tools.
I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).
I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.
Ballsy! (Score:2, Interesting)
Re:Filesystem Filter Driver (Score:3, Interesting)
No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to extend process security descriptors, which, as far as I know, is simply not in the design of Windows. Even source licensees like Symantec and Checkpoint have still had to rely on hacking in API hooks.