A Windows Alternative to Linux Security Modules? 54
Cliffe asks: "I am a PhD candidate preparing to implement a new security (access control) model. I have been reading about Linux's LSM (which allow security frameworks to be loaded) but I was unable to find documentation for a mechanism in MS Windows which allows every individual application's access to resources to be mediated; for example, to restrict each application's access to particular files or network protocols. Is this type of mediation possible in Windows? Virus scanners and firewalls likely utilize similar capabilities. Where can the documentation be found?"
Voila (Score:3, Interesting)
User Access Controls [microsoft.com]
SANS Top 20 [sans.org] (worth reading)
Windows Server 2003 Security Guide [microsoft.com]
Overview of the Windows 2003 Server [microsoft.com]
You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.
Re:Voila (Score:3, Informative)
Re:Voila (Score:2, Informative)
http://www.microsoft.com/technet/windowsvista/eva
Re:Voila (Score:2)
that is unrelated (Score:3, Insightful)
None of this gets you a way to plug in a whole new security concept. Suppose that the OS did not support ACLs, but you wanted to add support. That's something that LSM would let you do.
Re:Voila (Score:2)
Windows groups are somewhat more flexible than Unix (Linux) groups, but they're certainly not a panacea, and they don't solve the OP's problem.
No standard API (Score:2)
Given Microsoft's claims about a strong focus on security in the forthcoming Windows Vista, perhaps it has an interface for security modules of the type you're suggesting.
Re:No standard API (Score:2)
I'd love to see some similar products for the mac, if anyone has some links. Ideally I'd like to limit certain applications to only be able to write to certain directories, and also be notified whenever someone is trying to do something fishy.
Re:No standard API (Score:2)
Re:No standard API (Score:1)
It's called WINE, and there are other ways (Score:4, Interesting)
Or run WINE under a different OS (e.g. OpenBSD [openbsd.org]) or emulator if you want different security tools.
I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).
I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.
well, kind of (Score:4, Informative)
Function hooks (Score:2)
DropMyRights (Score:3, Interesting)
I don't know much at all about the subject, but check out DropMyRights [microsoft.com], by Michael Howard, a security guy at Microsoft.
It's basically sample code, rather than a full solution, but it might give you a starting point.
Also ask Google about the .Net Framework's security model - in particular "code access security." From here [microsoft.com]:
Cheers.
Nah, LSM is nothing like that (Score:3, Informative)
The whole DropMyRights thing is tied to the existing security model. What if you wanted to redefine what the "rights" are? For that you need LSM.
With LSM, you can im
Re:Nah, LSM is nothing like that (Score:2)
Re:DropMyRights (Score:1)
A word of warning about that program. The program works fine so long as you only access things via the dedicated drive letters. As soon as you start accessing files and directories through the administrative UNC shares on the local machine, all the protection DropMyRights gives you is lost. If you run a command prompt with DropMyRights, you may not be able to delete C:\ntldr, but you will be able to delete \\computer\c$\ntldr. All
So innocent... (Score:5, Informative)
Do you insist on Windows? OK...
You will be doing what every anti-virus and copy-protection hack does: you will patch the system call table. Note that it is completely unsafe to undo this without a reboot. There are race conditions that can bluescreen the system if you try.
You can not support Win64. The system call table was hidden. Aw heck, if you're already this hacky and evil, you might as well scan memory to find something that looks like the system call table. Just look for an array of function pointers of the right size and in the right order, bearing in mind that some other hack may have hooked the system calls first.
So, system calls happen, and you track what they do. You'll have to duplicate many OS data structures or make many evil assumptions about the content of kernel memory. Track what each handle refers to, the state of that handle, etc.
See? No problem. Easy as pie. You can contribute to making Windows such a stable OS.
Best steps moving forward (Score:1)
filesystem filter driver (Score:4, Informative)
Not built-in to Windows (Score:2)
Windows security is all about restricting access to files and objects with user- and group-oriented Access Control Lists (DACLs and SACLs). When a user/automated-process logs in they are given an authentication token representing their account and group memberships (even their password version/iteration), and that token gets passed around to all processes and threads they touch as tasks proceed. Some processes (such as IIS) run under special LocalSystem/LocalService/NetworkService accounts and are able to i
Re:Not built-in to Windows (Score:2)
Re:Not built-in to Windows (Score:3, Informative)
I've got my doubts about how far you can go with that approach (for example, they admitted that network access control was a problem), but consider their approach along wit
Filesystem Filter Driver (Score:5, Informative)
http://www.microsoft.com/whdc/driver/filterdrv/de
Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to DeviceIoControl other than by hooking CreateFile and doing filtering there, unless there is a facility in the ifskit to fiter those "fake" filesystems.
Re:Filesystem Filter Driver (Score:1)
Of course, the moderators will never see it, but hopefully the original poster will.
Re:Filesystem Filter Driver (Score:3, Interesting)
No it isn't. Or at least it is the right answer for the wrong question. Filesystem controls are completely orthogonal to process permissions. He's not trying to just limit filesystem operations, he's looking at all operations. How is a filesystem driver going to affect whether you can open Port 12345 if your windowstation isn't on some trusted list? Or whether you can impersonate another user only if it's run app XYZ within the last X minutes (think sudo). He's trying to
Ballsy! (Score:2, Interesting)
Re:Ballsy! (Score:2)
good luck with it! (Score:1)
given the design of the windows core (kernel*) I am not
sure this can be implemented without a significant redesign.
Linux is pretty good at this, as is the NSA offering
(called SELinux). OpenBSD is far superior in this aspect.
there is one additional problems: M$ might decide to
"co-opt" your work on you if they like what it does. best
to be cautious with a shark like that.
Re:good luck with it! (Score:2)
Perhaps FreeBSD has the needed hooks. They have been showing interest in stuff like SE Linux. OpenBSD has shown no interest.
LSM is the set of hooks that supports SE Linux. In other words, he wants to write something which makes security decisions similar to the ones that SE Linux makes. He needs the hooks.
You'd need to create a user for each process (Score:2)
You can't run them as the normal user. Even if you remove all the privileges, it is still the same user SID (Windows's UID). By default, a process's ACL allows debug access for the same user. That is, if program A and program B run as the same SID, then by default process A can manipulate process B and vice versa. Thus, if you did this, the program could do NtWriteVirtualMemory on any ot
Re:You'd need to create a user for each process (Score:1)
Re:You'd need to create a user for each process (Score:2)
Melissa
Filesystem filter driver (Score:2)
To properly restrict access to files, you'll need to write a filesystem filter driver. This is how most antivirus programs work. More information here:
http://www.microsoft.com/whdc/driver/filterdrv/def ault.mspx [microsoft.com]
Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license. To filter network access, you would use a TDI filter driver. I don't know of any way of filtering calls to
Re:Filesystem filter driver (Score:2)
Writing a FS filter requires the IFSKit, which is expensive and does not come with an MSDN license.
Just so you know, Microsoft dropped the price for the IFS kit from over $1000 to less than $150 including shipping ($25 for shipping a CD... wowza!) a few months ago. You can purchase it online at the IFS kit page [microsoft.com]. That's a much easier pill to swallow for a PhD investment.
MS Windows Internals, 4th Ed. (Score:1)
Chapter 8 deals with security, and offers the following juicy nugget:
Among others. T
Ask tzuk at sandboxie dot com (Score:3, Informative)
Maybe he'd tell you in exchange for a redesign of his site.
Simplest Windows security measure (Score:2)
But I don't think it's possible in Windows.
Re:Simplest Windows security measure (Score:2)
Mandatory code signing has been built-in to Windows since 2001 [microsoft.com] (with the release of XP).
I use this for some of my locked-down client machines, and it works pretty much as advertised. However, maintaining the list of allowed executables is a pain. Most 3rd-party windows developers neglect to sign their code, so you have to do a lot of manual entry of hashes. There are 3rd party management tools and scripting which can be used to overcome these problems.
Core Force (Score:1)
Not a direct answer but... (Score:3, Insightful)
Cisco Security Agent [cisco.com] is a close analog to the sort of comprehensive kernel security hooking that something like LIDS [lids.org] does on Linux. If you can do some research to determine how they're doing it, that'll be a start. They hook all sorts of things, from file and network opens to attempts to sniff keystrokes and executing dynamically modified memory.
Cisco Security Agent is a pile of crap (Score:2)
Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.
The main "security" of CSA comes from the
Re:Cisco Security Agent is a pile of crap (Score:2)
I'm sorry your admins don't know how to administer it.
I might go even further and pontificate upon the idiocy of attempting to lock developer's systems down, but I'd hate to cause you to vent any more of your spleen.
Make Windows more secure than Linux (Score:2)
Basically, the way it works by default is
Quick Question (Score:2)
Core Force (Score:1)
From their site:
VMS (Score:2)
Windows NT was designed and implemented by the main VMS designer. A lot of the low-level kernel stuff is quite similar. But I don't think this feature made it across in any way.
Linux or Windows.. (Score:1)
Ideally I would like to implement my access control / application confinement model on both Linux and Windows. Unfortunately time will most probably prevent that (at least during my current studies). Currently I am considering various implementation options.
Linux seams to be the natural choice: it has frameworks that are unlikely to drastically change any time soon, most access control and application confinement research is conducted on Linux, and ideally I would like to contr