The Importance Of Permission
Typically when I am referring to “permission” I am advising my students or audience to seek permission before performing any sort of security testing. This week I have been looking at permission in a different light, as it relates to the file systems, services, and programs on Windows systems. As a defender it is important to understand and set the appropriate permissions. Doing so can close some of the gaps when it comes to privilege escalation, that is increasing my level of access to the exploited system. This is especially important on systems that communicate with control systems. Proper access control and permissions can help slow down attackers and prevent them from accessing control systems and other components of the system (such as password databases).
There are many techniques for privilege escalation and abusing permissions, for example I cam across this article which show the following example:
at 21:01 /interactive “cmd.exe”
The above command will start and interactive command shell at the specified time. On certain versions of Windows (XP/2000), this command shell would execute with SYSTEM privileges. However, I did some testing on recently patched Windows Server 2003 systems and this command did not work and the system reported “Access is denied”. Proper permissions matter and its worth the time and effort to configure them on your system.
Author: Paul Asadoorian
Posted: November 6th, 2008 under Bandolier, DoE Research Project.
Comments: 1
Comments
Comment from Jason Holcomb
Time: November 6, 2008, 5:48 pm
All the Bandolier security audit files have baseline file and directory permissions checks for the control systems application directories. Here’s an example where we’re checking a key directory of a Telvent HMI:
type: FILE_PERMISSIONS
description: “File permissions check for c:\program files\Telvent\DNA\XOS\xos_elements”
info: “Bandolier Check Number: b11020″
info: “Bandolier Severity Rating: Moderate”
info: “Additional Information:
http://www.digitalbond.com/index.php/research/bandolier/b11020/”
value_type: FILE_ACL
value_data: “Telvent_File_ACL_2″
file: “c:\program files\Telvent\DNA\XOS\xos_elements”
It takes this check combined with the access control list defined in “Telvent_File_ACL_2″ (leaving out for the sake of space here).
File and directory permissions were nearly impossible to evaluate and often overlooked before Bandolier so we’re excited to include these checks in the audit files.
Write a comment