W
Will
The general rule in Windows XP, Windows 2000, and Windows 2003 is that in a
file access control list (i.e., DACL), the deny permissions are scanned
first, and only after excluding the requestor from the Deny list are the
Accept list entries scanned. It turns out that the kernel does not have
this restriction, but the GUI tools we use in Windows XP to set file
security always place the Deny list entries at the top.
Well, I have made the ugly discovery today on a Windows XP SP2 system that
if you set a folder to inherit permissions, then attempt to add some
additional user or group objects into the list, that now those additional
objects are placed at the *top of the DACL*. If those new access rule
entries are Accept conditions, then they will be executed *before* the Deny
entries in the inherited list, and your Deny list does NOT get priority
execution.
At very least, this very surprising behavior is not well documented. But
here is why I consider this to be a very serious bug. Any intruder who
manages to get into a system now need only put a duplicate entry into the
DACL to in effect reverse its meaning. If you started with:
Deny ANONYMOUS All
Deny Guests All
Accept Administrators All
Accept SYSTEM All
The user can simply add a rule such as:
Accept ANONYMOUS All
The fully resolved list in the Advanced view of the DACL will now be:
Accept ANONYMOUS All
Deny ANONYMOUS All
Deny Guests All
Accept Administrators All
Accept SYSTEM All
And sure enough, the Accept rule at the top will execute prior to the Deny
rule, and the intruder has now introduced a very subtle back door into the
system that only the most observant administrator could possibly catch.
The default view of the DACL would only show one entry for ANONYMOUS and you
would have to select it to see that both Accept and Deny columns were
checked, and many administrators would wrongly assume that the Deny entries
were going to execute first, when in the special case I have found they will
execute after the Accept entry.
Since most of us use inheritance widely on our file systems, this is not an
obscure case. It is in fact the common case. Can someone explain to me
if this is a "feature" and why it should be so?
file access control list (i.e., DACL), the deny permissions are scanned
first, and only after excluding the requestor from the Deny list are the
Accept list entries scanned. It turns out that the kernel does not have
this restriction, but the GUI tools we use in Windows XP to set file
security always place the Deny list entries at the top.
Well, I have made the ugly discovery today on a Windows XP SP2 system that
if you set a folder to inherit permissions, then attempt to add some
additional user or group objects into the list, that now those additional
objects are placed at the *top of the DACL*. If those new access rule
entries are Accept conditions, then they will be executed *before* the Deny
entries in the inherited list, and your Deny list does NOT get priority
execution.
At very least, this very surprising behavior is not well documented. But
here is why I consider this to be a very serious bug. Any intruder who
manages to get into a system now need only put a duplicate entry into the
DACL to in effect reverse its meaning. If you started with:
Deny ANONYMOUS All
Deny Guests All
Accept Administrators All
Accept SYSTEM All
The user can simply add a rule such as:
Accept ANONYMOUS All
The fully resolved list in the Advanced view of the DACL will now be:
Accept ANONYMOUS All
Deny ANONYMOUS All
Deny Guests All
Accept Administrators All
Accept SYSTEM All
And sure enough, the Accept rule at the top will execute prior to the Deny
rule, and the intruder has now introduced a very subtle back door into the
system that only the most observant administrator could possibly catch.
The default view of the DACL would only show one entry for ANONYMOUS and you
would have to select it to see that both Accept and Deny columns were
checked, and many administrators would wrongly assume that the Deny entries
were going to execute first, when in the special case I have found they will
execute after the Accept entry.
Since most of us use inheritance widely on our file systems, this is not an
obscure case. It is in fact the common case. Can someone explain to me
if this is a "feature" and why it should be so?