base line XP kernal protection and folder protection, any?

TheMSsForum.com: The Microsoft Software Forum

Base line security:
100% new hardware.
new xp+sp2 pro
no Domain,

two accounts: admin and nobody
admin is normal install admin.
nobody is group USERs only.( no other groups assigned)

Is is possible to have a user defined ( using builtin groups or custom)
that will be locked out of the windows folder.
To my knowledge , the answer is no. ( whole or in part)
I wish this feature to protect the windows folders from a virus , etc.
I am aware XP has a builtin protector but it has been breached by some
worms already.
Is there any 3rd party programs that will protect windows.?
" OS Code Protector, etc "
Is there any hope that Long horn will improve this issue?

Print and file sharing is off, fire wall Sp2 is fully active and
default.

Thanks for any help.

My goal is to protect folders from other users and to protect the
windows folders from all by admin.
PS:
I am already aware that I , as a user can set my folders to only
accessable by me and admin.
I am not asking for Anti Virus or Antispy where as I have this in
spades now.
Top

Re: base line XP kernal protection and folder protection, any? by Steve

Steve
Wed Feb 02 03:33:16 CST 2005

Default settings give administrators full control of the \WINDOWS folder;
users have only read and execute access. This is necessary so that the operating
system will run.

Steve Riley
steriley@microsoft.com



> Base line security:
> 100% new hardware.
> new xp+sp2 pro
> no Domain,
> two accounts: admin and nobody
> admin is normal install admin.
> nobody is group USERs only.( no other groups assigned)
> Is is possible to have a user defined ( using builtin groups or
> custom)
> that will be locked out of the windows folder.
> To my knowledge , the answer is no. ( whole or in part)
> I wish this feature to protect the windows folders from a virus , etc.
> I am aware XP has a builtin protector but it has been breached by some
> worms already.
> Is there any 3rd party programs that will protect windows.?
> " OS Code Protector, etc "
> Is there any hope that Long horn will improve this issue?
> Print and file sharing is off, fire wall Sp2 is fully active and
> default.
>
> Thanks for any help.
>
> My goal is to protect folders from other users and to protect the
> windows folders from all by admin.
> PS:
> I am already aware that I , as a user can set my folders to only
> accessable by me and admin.
> I am not asking for Anti Virus or Antispy where as I have this in
> spades now.



Top

Re: base line XP kernal protection and folder protection, any? by Steven

Steven
Wed Feb 02 23:30:01 CST 2005

XP Pro already has the system folder locked down so that users have
read/list/execute permissions which they need to use the operating system
and applications. What " builtin protector " has been breached by worms??
The firewall?? Firewalls are one part of a security plan and will happily
let content through it that the user wants to download including malware.
Other parts of a security plan would be strong passwords, antivirus program
that is kept up to date and scans all emails, and keeping current with
critical updates at Windows Updates. Since you are using XP Pro I would
suggest Software Restriction Policies [available in Local Security policy]
to lock down the computer further starting with a default disallowed rule.
The link below explains more. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

"jtgh" <posdmr@yahoo.com> wrote in message
news:1107330410.545835.302200@l41g2000cwc.googlegroups.com...
> Base line security:
> 100% new hardware.
> new xp+sp2 pro
> no Domain,
>
> two accounts: admin and nobody
> admin is normal install admin.
> nobody is group USERs only.( no other groups assigned)
>
> Is is possible to have a user defined ( using builtin groups or custom)
> that will be locked out of the windows folder.
> To my knowledge , the answer is no. ( whole or in part)
> I wish this feature to protect the windows folders from a virus , etc.
> I am aware XP has a builtin protector but it has been breached by some
> worms already.
> Is there any 3rd party programs that will protect windows.?
> " OS Code Protector, etc "
> Is there any hope that Long horn will improve this issue?
>
> Print and file sharing is off, fire wall Sp2 is fully active and
> default.
>
> Thanks for any help.
>
> My goal is to protect folders from other users and to protect the
> windows folders from all by admin.
> PS:
> I am already aware that I , as a user can set my folders to only
> accessable by me and admin.
> I am not asking for Anti Virus or Antispy where as I have this in
> spades now.
>


Top

Re: base line XP kernal protection and folder protection, any? by jtgh

jtgh
Fri Feb 04 12:35:39 CST 2005

yes, this is all standard procedure on the Windows boxes.
When we must use a M$ OS , our systems are all protected via .
the onion:
hw, firewall.
sw, firewall
NAT , box routers
AVG7
Spybot13 , full scan, every day and full real-time. Teatime!
adware1se , ditto
M$ antispy beta , ditto
Spysweep full version, ditto
Logins, as USER (predefined group)
Personal folders , locked. NTFS, 1 admin account.
( we use Linux, (suse9) for anything serious but some things require
M$, like Autocad.etc)

The windows protection is the "DLLCACHE protector engine built into the
kernel"
It protects the kernel but there are a few viruses that can attach this
protection.

We all know the we all have full protection, per above, but that is not
the question, the question is how do we better protect the weak systems
design.
Just 1 week class in Linux kernel design and then windows will show you
that
The kernel (and its utilities ) are wide open (save the DLL cache,etc,
protector).
The difference is Linux uses intrinsic protection and MS uses , active
real time protection. The M$ method can be attacked from many fronts,
Memory, Kernel and the Protector itself. (to name a few). It is a
kludge , carried forward for the inane reasons of legacy (x86 code).

So the question is what techniques or aftermarket products (3rd party)
can be used to better protect the \windows and \windows/systemx
folders and registry files from attach.
Other than the standard issue AV any Spyware protectors.
Call it Kernel Lock or protector.

The whole concept of applications writing the Root areas ( os kernel
etc) is bankrupt.
If nothing else , M$ should have moved the applications, part of the
registry to a different file and , move it to a folder called
Application data and have separate and obviously weaker protection on
it. The OS would be completely protected.

The design would be such that the core elements would be read only (
save , admin accnt).

Proactive , and less Reactive mind set.

In conclusion , I do notice that most M$ people have already given up
on a real OS.

When one loads M$ windoz , it should ask only 1 question, Legacy BS or
No Legacy BS. (bull scrud) , the latter would be a secure OS. ( as
good as linux)

My answer is as long as the topic is complex.

Thanks for any help or direction. jtgh

Top

Re: base line XP kernal protection and folder protection, any? by jtgh

jtgh
Fri Feb 04 16:41:21 CST 2005

window File Protector ( what it does and what it does not do )
also see : System File Checker sfc.exe (boot scan)
I assembeled this group to understand WFP.
WFP
the horses mouth (arce?):
http://support.microsoft.com/default.aspx?scid=kb;en-us;222193

Note the M$ fails to note other means of attack, the kernal itself and
WFP , can

be attacked , not to mention the Update.exe, dllhost.exe, can be
attacked.
Or any virus that can run the regedit code and turn off WFP will be
successful.
Cmd.exe ?
or WINLOGON.EXE or W32TM.EXE
Why is it that M$ always understates the issues, ignorance, EGO, or are
they just
keeping the Hackers , ignorant. I just wonder.



known successful attacks: ( direct or indirect) , just to name a few.
Nachi Worm attacks the following file:
C:\WINNT\system32\wins\dllhost.exe
and
virus <WORM.MSBLAST
Win32.Wqk.C
VBS.LOVELETTER Worm
W32.Pinfi
W32.Valla.2048
Code Red worm

TROJAN EXPLORER.EXE
[First, the trojan program adds the value SFCDisable=0xFFFFFF9D
to HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin.
This registry setting completely disables the Windows File
Protection (WFP) mechanism. WFP prevents the replacement of
certain monitored system files. See the following for more info:
http://support.microsoft.com/support/kb/articles/Q222/1/93.ASP]


Links:
http://groups-beta.google.com/group/microsoft.public.windowsxp.setup_deployment/b

rowse_frm/thread/452843f86a37bcbc/fd4210a02427445f?q=WPF+++Windows+XP&_done=%2Fgr

oups%3Fhl%3Den%26q%3DWPF+++Windows+XP%26qt_s%3DSearch+Groups%26&_doneTitle=Back+t

o+Search&&d#fd4210a02427445f





One known weakness:
WFP will pop up an alert if you try to delete/rename a dllcache'd file
on
Windows 2000 Professional. ( under admin only)

A workaround (my favorite) that I found posted somewhere was to do
something
like this:

copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\dllcache\wscript.exe
copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\dllcache\cscript.exe
copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\wscript.exe
copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\cscript.exe

WFP is not intelligent enough to know when one protected file is
overwritten
with a copy of another. ( note a service pack may have cured this bug)

Weakness 2:
I just now have confirmed that WFP does not appear to check the
checksum (crc, not checksum) of the file in the dllcache folder to see
whether it

has been altered by a local or remote attacker or a virus or worm, so
this would
appear to be a security issue.] ( a weakness and it WILL be our death)
(reviewers note: checksum is useless technology, CRC ! ok?)

food for thought:
After reading a 1000 documents on Best Practices and the Doing them.
Then why are you not using LINUX?
that is the real question ( is it only fear of the unknown)?



Links:

http://groups-beta.google.com/group/microsoft.public.windowsxp.setup_deployment/b

rowse_frm/thread/452843f86a37bcbc/fd4210a02427445f?q=WPF+++Windows+XP&_done=%2Fgr

oups%3Fhl%3Den%26q%3DWPF+++Windows+XP%26qt_s%3DSearch+Groups%26&_doneTitle=Back+t

o+Search&&d#fd4210a02427445f


http://www.systemexperts.com/tutors/HardenW2K101.pdf

http://securityadmin.info/faq.htm#harden

http://www.nsa.gov/ < look for security templates.

conclusion:
Windows is doomed to its present design and as such , the WFP is the
only hope.
so , how can we make WFP bullet proof. ?
Now that will be worth spending some time on.

Top