Igor Delovski Board

[delovski]

At Joel: Permissions in Windows

"Every process in Windows runs as a user. What the process can do is by
and large what the user can do."

"There are two kinds of permissions in Windows: resource permissions and
policies. Resource permissions are associated with resources such as files,
directories, printers etc. There are typically several levels of resource
permissions, for example Modify, Write and Read on files and directories.
Policies are simple rules saying "X can(not) be done" or "X can(not) be
done by Y". There are no levels involved in policies."

[delovski]

Old New Thing: Security: Don't forget to initialize the stuff you don't care about

"Everybody should by now be familiar with the use of the
SecureZeroMemory function to ensure that buffers that used to contain
sensitive information are erased, but you also have to zero out buffers
before you write their contents to another location."

[XNote]

CodeGuru: GUI-Based RunAsEx

Environment: Win2K+ ONLY, VC6+, MS SDK (Platform SDK), DDK for Win2K+, Process Explorer, Local Administrator Identity

Prerequisite Knowledge: Win2K Security stuff (SID, Token, ACL, Privilege, WinStation/Desktop, and so on), NT Service, SEH

[Ike]

An introduction to ACL based security and the Windows Access Control
model: The Windows Access Control Model, Part One.

"Before delving into the concepts of authorization, I should take a
discussion about the Security Identifier (SID). We humans like to refer to
a user by their user name (like "Administrator"). A computer must refer
to the user in binary. It recognises a user by means of a hash (which is
called a SID)."

Plus, there's more:

Part 2: Basic Access Control programming
Part 3: Access Control programming with .NET v2.0
Part 4: The Windows 2000-style Access Control editor

[XNote]

Same place, The Code Project, a bit older article, but much shorter:
Using Access Control Lists to secure access to your objects,
by Rob Manderson

"However, Windows NT and descendant operating systems does
provide a pretty good level of security if we're prepared to use it."

[delovski]

Larry Osterman: Security Terms

"I’ve got a bunch of security-related articles that I’d like to write up, but
I’ve realized that doing this requires that I define some terms up front to
give a common framework for the articles. I’ll be using this post as a
reference for these posts in the future."

[Marko]

Raymond: Applications and DLLs don't have privileges; users do

"How do you protect a registry key from an application? And if
applications don't have privileges to modify a key, then who does?"

[delovski]

RC: Moving a file does not recalculate inherited permissions

"When you move a file across volumes with the MOVEFILE_COPY_ALLOWED
flag, you're saying that "move the file if possible; if not, then convert it to a
copy/delete operation". The copy operation creates a new file, which
means that inheritable properties on the destination folder do take effect.
But only if the file motion crosses volumes. If you're moving the file within
the same volume, then the ACL remains unchanged. How confusing. When
you pass the MOVEFILE_COPY_ALLOWED flag, you lose control of the ACL.
(You actually lose control of much more than just the ACL. Since the file is
being copied, none of the attributes from the original file are kept on the
copy. The copy inherits its encryption and compression status from the new
parent directory. The copy also gets a new owner, which has follow-on
consequences for things like disk quota.)"

[Igor]

msdn: NetUserGetInfo, NetUserSetInfo and NetUserEnum!

struct USER_INFO_1:

[delovski]

Mark Russinovich: The Case of the Notepad that Wouldn't Run

"UAC allows for users, even administrators, to run as standard users
most of the time, while giving them the ability to run executables with
administrator rights when necessary. There are several mechanisms by
which executables can trigger a request for administrator rights:

* If the executable image includes a Vista manifest file that specifies a
desire or need for administrator rights (this would be added by the
developer who creates the image).

* If the executable is in Vista’s application compatibility database as a
legacy application that Microsoft has identified as requiring administrator
rights to run correctly.

* If the user explicitly requests an elevation using Explorer’s “Run as
administrator” menu item in the context menu for executables (also can
be set as an advanced shortcut property). Note that this does not run the
executable under the Administrator account, but rather under the account
of the logged in user, but with the Administrator group enabled in the
process security token.

* If the executable is determined to be a setup or installer program (for
example, if the word “setup” or “update” is in the image’s name)."

[delovski]

Ask Vista for system privileges

Uwe: "Self restart you application by means of ShellExecute and the "runas" parameter:

[Ike]

Digg: Gain control of those "Access Denied" Folders in Windows

"This is a short guide to help gain ownership of a folder that give you those
annoying "Access denied" messages on your own Windows system. This
will reassign the ownership of the blocked folder giving you complete access
to whatever you want, giving control back to you!"

[delovski]

OldNewThing: The administrator is an idiot

"Pre-3.7 versions of WinRAR weren't Vista compatible; upgrade. Vista-
compatible programs will tell the OS if and when the really need admin
privs, and extraction files should not be among these times (exception: if
it's extracting to Program Files or a system folder, then yes, it will need
admin privs, for obvious reasons."

[delovski]

JoS: Vista and Program Self Updating

"Simon at http://www.autoupdateplus.com sometimes posts here and he
lives and breathes this stuff...
...

Use the "RUNAS" verb with ShellExecute. See the example in C++."

[Ike]

JoS: Permissions & Vista

"Is there an API that I can run to elevate privileges mid-way through my app?"

[Ike]

RC: Why does canonical order for ACEs put deny ACEs ahead of allow ACEs?

"In words, we go through the ACEs in the ACL in the order they appear, paying
attention only to the ones that apply to the user, i.e. the ones whose SIDs are
present in the user's token. If a permission is being denied, and the user is still
looking for that permission, then access is denied. If a permission is being
granted, then those permissions are subtracted from the permissions the user
is still looking for. If, at the end of the day, all the permissions the user requests
have been granted, then access is granted."

[Ike]

RC: How do the names in the file security dialog map to access control masks?

"When you call up the file security dialog, you'll see options like "Full Control"
and "Read and Execute". That's really nice as friendly names go, but when
you're digging into the security descriptor, you may need to know what those
permissions really map to when it comes down to bits."

[XNote]

RC: How do I mark a shortcut file as requiring elevation?

"To do this, you set the SLDF_RUNAS_USER flag in the shortcut attributes."

[delovski]

JoS: Program Installation on Vista with UAC

"The first time I noticed this was after installing a game (Rise of Legends). I
played the campaign for a bit, then quit. The next time I went to play, the
game acted like I had just started it for the first time, and I couldn't find my
saved game."

[Ike]

RC: Anybody can make up a generic mapping

"Each component that uses ACLs to control access has its own idea of what
GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE mean. It's not
like there's a master list that somebody can make that lists them all, because
I can make up a new one right here."

[delovski]

JoS: Detect if application is running with admin privileges

"How can I detect if an application us running with admin privileges? Is
there an API or something?"

[Ike]

so - netUserGetInfo return 2221

https://learn.microsoft.com/en-us/windows/win32/netmgmt/network-management-error-codes

"errorcode 2221 means "NERR_UserNotFound but user exists"

Get current user's last logon: https://stackoverflow.com/questions/3371807/get-current-users-last-logon/