exe was a popular way for
exploits to download malware and secure a foothold on a compromised system.
Exploits could count on the TFTP client being available on every Windows installation.
Let??™s compare the Windows XPDACL on tftp.exe to the Windows Server 2003DACL (see
Figure 16-14).
Figure 16-14 tftp.exe DACL on Windows XP and Windows Server 2003
The Users SID allow ACE in Windows XP was removed and replaced in Windows
Server 2003 with three Interactive SID allow ACEs granting precisely the access
intended??”any interactive logon, services, and batch jobs. In the event of a web-based
application being exploited, the compromised IUSR_* or ASPNET account would have
access denied when attempting to launch tftp.exe to download more malware. This was
a clever use of authentication SID ACEs on Microsoft??™s part.
LOGON SID
Isolating one user??™s owned objects from another user??™s is pretty easy??”you just ACL the
items granting only that specific user access.However, Windows would like to create isolation
between multiple Terminal Services logon sessions by the same user on the same
machine. Also, user A running a process as user B (with RunAs) should not have access
to other securable objects owned by user B on the same machine.
Pages:
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727