Adding XP in another partition users into Vi$ta

Discussion in 'Windows Vista Security' started by Man-wai Chang ToDie (33.6k), Oct 14, 2008.

  1. Can you confirm this? It was my understanding that you can
    only grant the permission for another to take ownership and
    not simply assign ownership to another (for auditing purposes
    to avoid someone taking ownership, making nefarious changes
    and then assigning ownership to a scapegoat).

    ....again, this was from the W2K link - but I don't see why
    that would change in Vista (unless they've improved on the
    audit trail).
    FromTheRafters, Oct 17, 2008
    1. Advertisements

  2. Man-wai Chang ToDie (33.6k)

    Jimmy Brush Guest

    Yup :). You have to hold the restore privilege (admins have it by default).

    This isn't new functionality to Vista, it was just never exposed in the UI

    I am not aware of any auditing enhancements.

    - JB
    Jimmy Brush, Oct 17, 2008
    1. Advertisements

  3. Man-wai Chang ToDie (33.6k)

    Jimmy Brush Guest

    It's not just from IE ... it is any non-elevated program. The problem is
    kind of interesting.

    The actual ACL entry on the root drive is:

    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

    Which means the label should only be applied to files that are created
    beneath the root drive one level deep, with a no-write-up policy.

    So the root drive itself has no label... theoretically, you should be able
    to give yourself permission and create files.

    But if you do that and try to create a file, you will get the error "A
    required privilege is not held by the client."

    Hmm... interesting. Ah... there is a security policy that says a process
    cannot create a securable object that has a higher integrity than the
    process, unless it has the SE_RELABEL_NAME privilege.

    So it looks like it's failing because of that.

    - JB
    Jimmy Brush, Oct 17, 2008
  4. It was this bit that got me thinking that...

    "The Owner tab shown in Figure 12.19 has no option for giving ownership to
    another individual. If that were possible, an unscrupulous user could take
    ownership, do something wrong, and then cover his tracks by giving ownership
    to someone else. To prevent that from happening, the operating system does
    not support a give ownership operation at any levelnot in the user
    interface, not in application programming interfaces. It is true that a
    program can write new information in the Owner field of an objects security
    descriptor if the process has WRITE_OWNER access to the object, but
    WRITE_OWNER access permits the caller to change ownership only to the user
    SID in the callers access token or, if the user is a member of the
    Administrators group, to the Administrators SID. Thus it is never possible
    to give ownership of an object to another user. If you want to transfer
    ownership of an object, you must give another user permission to take
    ownership and then wait until the other user takes it."
    FromTheRafters, Oct 19, 2008
  5. Man-wai Chang ToDie (33.6k)

    Jimmy Brush Guest

    The statement about there being no API to do it is just plain wrong. I guess
    sometimes the left hand doesn't know what the right hand is doing :).

    If Windows didn't support some mechanism for allowing a group of users to
    set the owner on a file, the Windows backup program could not correctly
    restore backups.

    One can always remove this capability by not granting Administrators the
    restore privilege.

    - JB
    Jimmy Brush, Oct 19, 2008
  6. Thanks again Jimmy.

    I guess you can't always believe what you read.
    FromTheRafters, Oct 19, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.