RE: Re: Image-handling flaws put Windows PCs at risk

[James Eaton-Lee <james.mailing () gmail com>]

On Thu, 2005-11-10 at 11:42 +0000, Barrie Dempster wrote:
> On Wed, 2005-11-09 at 09:11 -0500, Wolfe, James M wrote:
> > I remember when the VBS viruses started making the rounds if you had an
> > NT 4 machine you could simply delete scrrun.dll and you'd be OK. Win 2K
> > on the other hand which was just coming out at the time would put the
> > file back no matter if you deleted it, renamed it, or tried sticking in
> > a zero byte file. So much for being able to remove features that you
> > don't want.
>
>
> Windows File Protection was an addition which was meant as an added
> security system in order to give you at least a base level of integrity
> checking.
>
> http://support.microsoft.com/?kbid=222193
>
> This was very well documented at the time and has had a lot of attention
> sine then.

As a corollary to this, as well as disabling WFS and removing the file
altogether, it would also have been relatively simple to add an
'everyone deny' permission to this file in order to prevent it from
being used - although I'm not sure quite what this particular file might
break if removed (or ACL'd), I've used this on DLLs in the past quite
successfully where removal of the file hasn't been appropriate (or where
it's been a temporary measure)

Using file permissions would also have let you deploy this via group
policy (or as a security policy, since you seem to prefer NT) to a large
number of machines with ease (Computer Configuration/Windows
Settings/Security Settings/File System in the Group Policy tree) - not
so much a case of "So much for being able to remove features that you
don't want." as "So much for reading the manual". :P

 - James.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.