« previous next »
Pages: [1]   Go Down
Share this topic on AskShare this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on LiveShare this topic on MagnoliaShare this topic on MySpaceShare this topic on RedditShare this topic on SlashdotShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz

Author Topic: Access Control  (Read 839 times)

0 Members and 1 Guest are viewing this topic.

Offline couttsj

  • Hero Member
  • *****
  • Posts: 528
Access Control
« on: November 27, 2008, 06:50:15 PM »
I would like to understand access permissions in Vista, but I am having a little difficulty in finding information. Here is what I have figured out so far. I understand NTFS file permissions, I understand how ACL?s (Access Control Lists) are used, I understand the various ACE?s (Access Control Entries), and I understand Inheritance. I think I even understand how UAC (User Access Control) works.

If you go to the \windows\system32\ directory in Windows Explorer, right button click on the LogFiles directory, go to the properties window and click on the security tab, you will see the file permissions for that directory (one that everybody should have):
CREATOR OWNER
SYSTEM
Administrators
Users
TrustedInstaller
Highlighting each one will show you the permissions (greyed out by the system in this case). But that is only part of the story. If you go to the Command Prompt, change the directory to the system directory (cd\windows\system32), and enter the command "icacls logfiles", you get:
C:\Windows\System32>icacls logfiles
logfiles NT SERVICE\TrustedInstaller:(I)(F)
         NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
         BUILTIN\Administrators:(I)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
         BUILTIN\Users:(I)(RX)
         BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
You can see that each group actually has 2 permission sets (except CREATOR OWNER). When access is requested, 2 security tokens are passed to the security processor and one is filtered out by the UAC control depending on what level of access was requested. For a standard user requesting access beyond RX (Read/eXecute), the UAC control would ask for administrator credentials.

To see what permission groups are available, click on the ?Advanced? button in the ?LogFiles Properties? window. Then click on the ?Effective Permissions? tab. Then click ?Select?, ?Advanced?, and ?Find Now?. One of those, the Authenticated Users group, is the one I am having trouble with. According to Microsoft, that group is any standard user properly logged on locally (no blank password). You will find that group listed in various places throughout the disk with elevated permissions, but I can?t seem to find out how the logged on user gets tagged with that authority. It doesn?t appear to be happening on one of our computers, and I am at a loss to explain why or how to fix it.

I also don?t know how permissions are implemented on system objects other than files/directories. In one of my programs for example, a standard user cannot access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters, but an administrator can. There is no opportunity given to elevate permissions, even with UAC enabled.

Feel free to question or add to this information.

J.A. Coutts

Logged

Offline shelter

  • Premium Member
  • *****
  • Posts: 5
Re: Access Control
« Reply #1 on: November 30, 2008, 10:18:48 PM »
This is by no means a solution to your problem but since icacls is a utility from Windows
Server I became curious and did a search on MSDN. The following link might be of use
assuming that you haven't been there already:

http://msdn.microsoft.com/en-us/library/bb625964.aspx

After reading about the Vista security implementation and the reasoning behind it, I felt
like going off to lay down in a very dark room. When Dave Cutler, who I used to work for
in a previous life, left DEC to join Microsoft and build NT it was thought that VMS would
spread across the globe. It obviously caught a very bad cold on the way!

In the those days, and that is where I end up sounding like a dinosaur or fossil, anyone
who didn't support VMS was told to See Figure 1. I suspect that the boys at MS decided
to sit on it as well.

Richard.
« Last Edit: November 30, 2008, 10:45:15 PM by shelter »
Logged

Offline couttsj

  • Hero Member
  • *****
  • Posts: 528
Re: Access Control
« Reply #2 on: December 03, 2008, 03:10:26 PM »
Quote from: shelter on November 30, 2008, 10:18:48 PM
This is by no means a solution to your problem but since icacls is a utility from Windows
Server I became curious and did a search on MSDN. The following link might be of use
assuming that you haven't been there already:

http://msdn.microsoft.com/en-us/library/bb625964.aspx

After reading about the Vista security implementation and the reasoning behind it, I felt
like going off to lay down in a very dark room. When Dave Cutler, who I used to work for
in a previous life, left DEC to join Microsoft and build NT it was thought that VMS would
spread across the globe. It obviously caught a very bad cold on the way!

In the those days, and that is where I end up sounding like a dinosaur or fossil, anyone
who didn't support VMS was told to See Figure 1. I suspect that the boys at MS decided
to sit on it as well.

Richard.
That link did indeed answer a number of questions for me. It is pretty heavy reading, so I will try to summarize.

According to Microsoft, ?The Windows Vista? integrity mechanism extends the security architecture of the operating system by assigning an integrity level to application processes and securable objects.? The NTFS file security system has been extended to apply to objects by adding a new mandatory ACE (Access Control Entry), representing an integrity level in an object?s security descriptor. There are five integrity levels:
0x0000 - Untrusted level
0x1000 - Low integrity level
0x2000 - Medium integrity level
0x3000 - High integrity level
0x4000 - System integrity level
with provision made to extend those levels in the future (1000 Hex between levels).

A standard user would be assigned a medium integrity level when logged in (High AND Medium for an administrator using UAC). Any process started by that user would be assigned the same integrity level, and when that process attempts to access system objects, the integrity level is compared against that for the system object. Attempts to access objects with a higher integrity level produce an access error or a UAC prompt.

That?s it in a nutshell. I don?t know how they manage to apply different integrity levels to different parts of the registry, but they must have found a way because I seem to have run into that particular problem.

J.A. Coutts
Logged

Offline couttsj

  • Hero Member
  • *****
  • Posts: 528
Re: Access Control
« Reply #3 on: December 06, 2008, 12:18:51 PM »
Just in case anyone is interested in understanding this technical stuff further, I found several white papers from Symantec that cover the issue fairly well. They are just as technical as the Microsoft articles, but are a little less convoluted and deal strictly with security issues.
http://www.symantec.com/business/security_response/whitepapers.jsp

The four papers I found of interest were:
Windows Vista Network Attack Surface Analysis (.pdf) July, 2006
Windows Vista Security Model Analysis (.pdf) August, 2006
Windows Vista Kernel Mode Security (.pdf) August, 2006
The Teredo Protocol: Tunneling Past Network Security (.pdf) November, 2006

They deal with Vista security issues when it was still in Beta, but most of it is still applicable today.

J.A. Coutts
Logged
Pages: [1]   Go Up
« previous next »