Friday 15 April 2016

Windoze Security Loop Hole

This is an example of why I hate Windows...

In a curious case of a security loop hole, in the office, we have a supposedly locked down security situation, none of us are local administrators on our machines, and neither do we have access to any of the very useful parts of our machines.

This is a real pain, and one whereby we often have to call up on the IT Administrators to come and physically, or remotely in a remote desktop session, enter their password for us.

I personally disagree that educated users such as myself have to put up with this situation, I agree totally with data privacy and integrity, however, I wholly disagree with locking people out of things on their machines, such as defragging, or emptying the temporary folders... Or in the case of a programmer, not being able to empty Prefetch or write an ISO to an SD Card.

Anyway, today, I had to write an ISO to an sdcard, the result... I called IT and asked them to run the program for me....


So, just to be clear, I'm logged in as myself:


I am unable to access parts of the system, like the Administrators desktop folders...


I get IT to log the ISO image writer as their elevated user, and the loop-hole begins, you see the program has a standard windows open dialog.  And this will work with any standard windows open or save-as dialog, in any program... The program is running as Administrator at this point.

When I select to browse to the file to open, the default folder is the administrators folder by name...


However, because these dialogs all use explorer under the hood, and it's all integrated, they do far more than select a file for you, they let you create folders, browse things and even launch programs...

Yes you can launch a program from a save-sa, or open-sa, browsing dialog!


Lets try to run a command prompt...


Oh, look, it's running as Administrator...


And now I can see the Administrator account directories, which were hidden from be in my own logged on Explorer window..


And I can clear the prefetch folder in windows...


This is clearly wrong, but it's all caused by windows, so what's going on?...

Well, instead of asking the current session (logged in as regular old me) to start the new application instance of Command Prompt, it's asking the application owning the browsing dialog, so command prompt is started under and inherits the user credential level of that program, not my whole session.

What should have happened, well, I believe windows, starting a new program from an elevated user like this should have re-prompted for the user's password again.  And indeed, trying to start certain files from the launched command prompt it does go back to the session level to ask for the credentials to start the application with.  But not asking and just starting the new application is a problem.

Solutions I can think of include, setting the administrator level account to timeout its password every minute, so one reduces the amount of time a regular user has an unaccredited ability to launch programs.  And within a minute the administrator could have started anything the user wanted and left.

A better solution however, might have been to have a user elevation level which could give access only to what the regular user wanted, permissions to use peripherals perhaps, rather than start applications.  And the Administrator should not have just started the application as themselves, but should have started the application under themselves as the Hardware only user.

There are other solutions, and I'm sure many I'm not even going to think about, because I don't use Windows systems.  If I want security, I simply use Linux and set things up correctly.

No comments:

Post a Comment