none
Access to Admin only folders without taking ownership i.e. Folder elevation RRS feed

  • Question

  • Ok lets say I have a folder with “very sensitive stuff™” in it i.e. bank details, security info, etc. I don’t want Mr Average User or even my own un-elevated processes to access this folder as if they become compromised this important info is accessible. So I set the permissions to SYSTEM & Administrators only so my self (and any other admins) can access when elevated but no one else. BUT vista/win7 c**ps all over this simple security model as explorer.exe won’t open folders elevated! In fact it rather unhelpfully offers to take ownership and add my user account MyPc\JoeBloggs to the folder permissions. Now this security “feature” allows all non-elevated processes access to this folder (what’s the point of the Adminstrators Group). Also in the network setting if some internal policy change means I am no longer an admin I can still access all the folders I simply viewed in explorer in perpetuity unless someone audits every directory on every pc I have ever accessed. I know this is being sold as a security feature but clearly it is simply undermining the purpose of the Administrators Group. In any case I can just elevate a cmd prompt and bypass this restriction (but this is a royal PITA) or run a 3rd party file browser elevated (god, where do I begin with the logic of that). How do you get around this problem.



    Explorer NEEDS to be able to elevate folder windows to make it remotely useful to admins who otherwise are forced to turn off UAC and go back to having to switch between two accounts every five minutes. Taking ownership or adding user account permissions is NOT a replacement for admin permissions they are two totally different concepts especially since admins are not running as admins any more
    . I guess this is what you get when you let UI coders (read morons) loose on security concepts (network stacks, service code, threading, io, or anything else that doesn’t involve pretty animated icons in dialogs). I am sorry about the hostile tone in this message but I really wonder why Microsoft hasn't fixed this yet it effectivly renders UAC useless.

    Is there any way around this obvious feature oversight?

    Tuesday, August 11, 2009 12:17 PM

Answers

  • Yes I am aware of the issues of physical access but physical hardware can be physically secured. But by your logic we should do away with ACLS and just go back to FAT....  What is the point of ACLS but to restrict access to data on user or groups basis (especially in a network scenario)?

    EFS/encryption is not without its problems and is certainly not the panacea you make it out to be. I mean with physical access I could brute force the SAM and recover EFS keys that way or softice the machine and read the key from RAM... If people have acces to the physical machine you are hosed period unless keys are held elsewhere.
    Not to mention I now have to have a key backup policy in force and explicitly provide access to each user that needs to access the files rather than just "Administrators".  In any case we are not taking about the access code to the IMF bank account or the CIA's and MI5's secret code books here, just stuff I don't want someone to be able to read via an IE exploit.
    Encryption is an end-to-end sytem level problem just using supersecretcode 1000000000bit security achieves nothing if the keys aren't secure or are hashed with password like "letmein" "qwerty" "ytrewq" "boobies" "manUrule" and all the other passwords that any password audit will show up.

    As for creating another group aren’t we just duplicating ourselves here? So I need to add myself and others to "Administrators" to perform admin stuff and "Copy of Administrators because MS can not write explorer to work in vista" to access the data needed to administrate stuff?

    The point I am making is that by default with un-elevated explorer if you go to an Directory (e.g. c:\Network policies) with only Administrator group access to it you get an elevation prompt to add you user account SID to the folder. So now that folder has Administrators and JoeBlogs = Full Access. That is LESS secure than before since all my processes run with a JoeBlogs token but only elevated ones run with an Administrator token and if I subsequently leave the admin group I can still access it all without further elevation. That is a flaw (especially if its default behavour).

    I mean what is the point of UAC? Does anyone really know any more?
    Is it:-

    a) a way to nag ISVs to rewrite applications to run under standard user accounts

    b) a way to mandatory de-privilege applications that have large attack profiles (e.g IE's protected mode) and apply the concept of least privilege to everyday apps that don’t need admin tokens.

    If its (a) then well done MS! UAC has finally handed the ISV's their asses to them and forced them to write security aware code. Now can we have an OS installer that sets up both user and admin level accounts and logs in the user account by default and strongly warns against using the admin account and then ditch UAC.

    If (b) Then it is a fine feature that is completly let down by the poor implementation in the in box shell and the windows 7 changes further devalue it.

    So rather than white listing stuff so that it can be exploited by malware by CreateRemoteThread and other exceedingly simple techniques. After all if someone is smart enough to succesfuly reverse engineer the file format and find bugs that MS's own audit teams couldn't find with the source code and then figure out how to successfuly heap spray a DEPed ASLRed app such as wmplayer then CreateRemoteThread isn't going to bother them.

    Let explorer elevate a surrogate process after the 1st UAC action then leave it running. Any further settings that need UAC can just notify the surrogate via an event let it deal with it. Same for task manager etc. This also pretty much what MS tells ISVs to do (run your admin stuff in another process – typically a service), and no more anti-competitive allegations from the EU since anyone can do this so it levels the playing field. I know explorer already uses surrogate processes with elevation but why throw that process away after one dialog? You want less prompts just leave it running you don’t need white lists then its become just an explorer policy setting.

    The surrogate could even refuse to honour the Run key and startup group or non-admin approved shell extensions to prevent trivial escalation exploits and being high integrity protects it from process injection, send keys, etc. It could monitor the standard explorer process to ensure the user initiated the action. If you want it can just go away after 5min or something (you could even specify it in group policy).


    Benefits:
    Maximum 1 or 2 setting related UAC prompts per session without stupid white lists.
    Can elevate folders and or control panel to achieve admin tasks. (Make the menu bar different etc to highlight this). Once I have the control panel elevated I can just administer the machine no more prompts. With an elevated folder I can mange network shares or user directories. It just works™!.

    No nasty hacks/white lists.

     

    IT’S CALLED SECURITY IN DEPTH!

     

    1)     try very very hard til it hurts to write secure code in the first place

    2)      patch quickly

    3)      DEP, ASLR, managed code and other mitigation techniques

    4)      Sandboxing technologies ->UAC should be here <-

    5)      ACLS process isolation UM/KM etc

    6)      Crypto if all else fails

     

    If UAC isn’t a sandbox type technology then get rid of it as it’s pointless. If it is then don’t break it with poorly implemented white lists and provide a way for privileged users to work outside the sandbox without removing it all together or having to ditch the shell. Medium Integrity on some apps/windows together with some High is much more secure than High on all.

     

    UAC isn’t broken in vista, explorer.exe is. As for my original problem I used a 3rd party app with file browsing capability (7Zip) and just elevate that on demand but really there should be something in box to support admin access to a folder without having to use cmd.exe


    And we all know why explorer is implemented the why it is... its written by people that obviously have no idea about security.

    • Edited by HackedOffAdmin Wednesday, August 12, 2009 12:58 PM
    • Marked as answer by Andy Song Friday, September 4, 2009 10:04 AM
    Wednesday, August 12, 2009 12:46 PM

All replies

  • First of all, if you have "very sensitive stuff" on the local system, using ACLs is not the best thing to do. You then better use EFS or some other form of encryption to secure the data. Any user with access to the hardware has ways around ACLs to get to the data (boot other OS/media). The administrators group is not meant to safeguard data the way you did. You can however create a custom group and make those files only accessible to members of the custom group. Then you don't need elevation for Windows Explorer. Only members of the local Administrators group will be able to add users to the custom group.

    Users that are not a member of the local Administrators group may be offered to take ownership of a file they have no acces to (I doubt if it is that way), but they simply cannot. You must be a member of the Administrators group to take ownership or have the explicit right to do so.

    I understand you don't like the fact that Explorer cannot be elevated, but there are many reasons it is implemented the way it currently is. The only way to run Explorer elevated is by disabling UAC.

    Ray
    Wednesday, August 12, 2009 9:24 AM
  • Yes I am aware of the issues of physical access but physical hardware can be physically secured. But by your logic we should do away with ACLS and just go back to FAT....  What is the point of ACLS but to restrict access to data on user or groups basis (especially in a network scenario)?

    EFS/encryption is not without its problems and is certainly not the panacea you make it out to be. I mean with physical access I could brute force the SAM and recover EFS keys that way or softice the machine and read the key from RAM... If people have acces to the physical machine you are hosed period unless keys are held elsewhere.
    Not to mention I now have to have a key backup policy in force and explicitly provide access to each user that needs to access the files rather than just "Administrators".  In any case we are not taking about the access code to the IMF bank account or the CIA's and MI5's secret code books here, just stuff I don't want someone to be able to read via an IE exploit.
    Encryption is an end-to-end sytem level problem just using supersecretcode 1000000000bit security achieves nothing if the keys aren't secure or are hashed with password like "letmein" "qwerty" "ytrewq" "boobies" "manUrule" and all the other passwords that any password audit will show up.

    As for creating another group aren’t we just duplicating ourselves here? So I need to add myself and others to "Administrators" to perform admin stuff and "Copy of Administrators because MS can not write explorer to work in vista" to access the data needed to administrate stuff?

    The point I am making is that by default with un-elevated explorer if you go to an Directory (e.g. c:\Network policies) with only Administrator group access to it you get an elevation prompt to add you user account SID to the folder. So now that folder has Administrators and JoeBlogs = Full Access. That is LESS secure than before since all my processes run with a JoeBlogs token but only elevated ones run with an Administrator token and if I subsequently leave the admin group I can still access it all without further elevation. That is a flaw (especially if its default behavour).

    I mean what is the point of UAC? Does anyone really know any more?
    Is it:-

    a) a way to nag ISVs to rewrite applications to run under standard user accounts

    b) a way to mandatory de-privilege applications that have large attack profiles (e.g IE's protected mode) and apply the concept of least privilege to everyday apps that don’t need admin tokens.

    If its (a) then well done MS! UAC has finally handed the ISV's their asses to them and forced them to write security aware code. Now can we have an OS installer that sets up both user and admin level accounts and logs in the user account by default and strongly warns against using the admin account and then ditch UAC.

    If (b) Then it is a fine feature that is completly let down by the poor implementation in the in box shell and the windows 7 changes further devalue it.

    So rather than white listing stuff so that it can be exploited by malware by CreateRemoteThread and other exceedingly simple techniques. After all if someone is smart enough to succesfuly reverse engineer the file format and find bugs that MS's own audit teams couldn't find with the source code and then figure out how to successfuly heap spray a DEPed ASLRed app such as wmplayer then CreateRemoteThread isn't going to bother them.

    Let explorer elevate a surrogate process after the 1st UAC action then leave it running. Any further settings that need UAC can just notify the surrogate via an event let it deal with it. Same for task manager etc. This also pretty much what MS tells ISVs to do (run your admin stuff in another process – typically a service), and no more anti-competitive allegations from the EU since anyone can do this so it levels the playing field. I know explorer already uses surrogate processes with elevation but why throw that process away after one dialog? You want less prompts just leave it running you don’t need white lists then its become just an explorer policy setting.

    The surrogate could even refuse to honour the Run key and startup group or non-admin approved shell extensions to prevent trivial escalation exploits and being high integrity protects it from process injection, send keys, etc. It could monitor the standard explorer process to ensure the user initiated the action. If you want it can just go away after 5min or something (you could even specify it in group policy).


    Benefits:
    Maximum 1 or 2 setting related UAC prompts per session without stupid white lists.
    Can elevate folders and or control panel to achieve admin tasks. (Make the menu bar different etc to highlight this). Once I have the control panel elevated I can just administer the machine no more prompts. With an elevated folder I can mange network shares or user directories. It just works™!.

    No nasty hacks/white lists.

     

    IT’S CALLED SECURITY IN DEPTH!

     

    1)     try very very hard til it hurts to write secure code in the first place

    2)      patch quickly

    3)      DEP, ASLR, managed code and other mitigation techniques

    4)      Sandboxing technologies ->UAC should be here <-

    5)      ACLS process isolation UM/KM etc

    6)      Crypto if all else fails

     

    If UAC isn’t a sandbox type technology then get rid of it as it’s pointless. If it is then don’t break it with poorly implemented white lists and provide a way for privileged users to work outside the sandbox without removing it all together or having to ditch the shell. Medium Integrity on some apps/windows together with some High is much more secure than High on all.

     

    UAC isn’t broken in vista, explorer.exe is. As for my original problem I used a 3rd party app with file browsing capability (7Zip) and just elevate that on demand but really there should be something in box to support admin access to a folder without having to use cmd.exe


    And we all know why explorer is implemented the why it is... its written by people that obviously have no idea about security.

    • Edited by HackedOffAdmin Wednesday, August 12, 2009 12:58 PM
    • Marked as answer by Andy Song Friday, September 4, 2009 10:04 AM
    Wednesday, August 12, 2009 12:46 PM
  • Mann Just stay away from me ┼┼┼┼┼(shields), you dangerous lol....
    at some points i agree with you but some i dont besides the fact i know jack Skit bout security but in my tinny brain i dont see reasons for decreasing the prompts stuff....i know theres many ways to dribble that or theres not but,concerning those points you mentioned i think ms the could go even further to solve those "issues"...
    but please stay away from me dun hurt meee !!!!! im a good guy just leave me alone!
    lol you could be dangerous man :D at least you impressed me ^^
    Kind regards,
    RR
    Wednesday, August 12, 2009 5:17 PM
  • Don't get me wrong. I am pro prompt. Yay for the prompts. Vote prompt for four glorious years. But I just think the “annoy me slightly less” setting (which is default) in Windows 7 is very badly architectured and completely at odds to the way they tell 3rd party software to act (stick your elevated code in another process to avoid prompts). I only mentioned as its kind of relevent since MS think its OK to elevate the whole explorer process (and rundll! What were they thinking?) but not one little control panel or folder window.

    Anyway it doesn’t really effect me as I opted for the “annoy the he11 out of me” option.

     

    What I want is explorer to elevate me to be able access a folder and not to change its permissions. If I wanted to change its permissions I would click the please change this folder’s permissions thingy not the please view this folder thingy. <- See its different MS

    Instead I can now use a 3rd party file manager (elevated), turn off UAC completly, or allow non-elevated software to access very folder on the system i have ever viewed (the default!!!!!!). Not much of a choice really..... 

    Wednesday, August 12, 2009 6:40 PM