Task manager violates security how many ways?

[Norman Diamond]

In a Vista Ultimate installation, there are several administrative users and
several standard users. A standard user can press Ctrl+Shift+Esc to invoke
the Task Manager. A standard user can click the Processes tab. So far, so
good.

At the bottom of the Task Manager screen is a button saying "Show processes
from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively I think that
if I click the button then Vista will prompt with a list of administrative
users, I will have to select one, and I will have to type its password. I
haven't tried it yet.

Task Manager is showing processes owned by Task Manager's owner (a standard
user) AND processes owned by an administrative user. Why?

Here is a link to a screenshot. The user "$B1Q8l%f!<%6(B" is a standard user.
Previously an administrative user installed the English language pack and
this standard user is using it (this part of it is mostly working). The
user "soft1" is an administrative user.
http://www.geocities.jp/hitotsubishi/unprivileged_taskmgr.png

 

[David Dickinson]

Task Manager is showing processes owned by Task Manager's owner (a

standard user) AND processes owned by an administrative user. Why?

I don't understand the problem. Do you mean that a standard user might see
that an administrator was playing Postal2 just before a fast user switch?

While there might be a relationship to issues of confidentiality, I wouldn't
exactly call this a "security violation" unless examining the programs that
another user has running violates a company's policies. In that case, you
can use group policy to prohibit standard users from running Task Manager.

 

[Rock]

In a Vista Ultimate installation, there are several administrative users
and several standard users. A standard user can press Ctrl+Shift+Esc to
invoke the Task Manager. A standard user can click the Processes tab. So
far, so good.

At the bottom of the Task Manager screen is a button saying "Show
processes from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively I
think that if I click the button then Vista will prompt with a list of
administrative users, I will have to select one, and I will have to type
its password. I haven't tried it yet.

Yes, if you click that button from a standard user account, then it will
request credentials, the password on a admin account, to show all the
processes.

Task Manager is showing processes owned by Task Manager's owner (a
standard user) AND processes owned by an administrative user. Why?

Here is a link to a screenshot. The user "$B1Q8l%f!<%6(B" is a standard user.
Previously an administrative user installed the English language pack and
this standard user is using it (this part of it is mostly working). The
user "soft1" is an administrative user.
http://www.geocities.jp/hitotsubishi/unprivileged_taskmgr.png

That's normal for a standard user. It's not showing all the processes on
the system that one would see by clicking on show processes from all users.

 

[Norman Diamond]

I don't understand the problem. Do you mean that a standard user might
see that an administrator was playing Postal2 just before a fast user
switch?

Well that wasn't my meaning but it's equally good as my meaning. I think
that Task Manager shouldn't show other users' processes unless the user asks
for it, AND that a standard user shouldn't be able to see other users'
processes at all. And I think these two thoughts should be additive not
subtractive ^_^

While there might be a relationship to issues of confidentiality, I
wouldn't exactly call this a "security violation"

Consider what kind of user is permitted to run the Event Viewer. Microsoft
seems to have designed security to include viewing as well as changing.

 

[Norman Diamond]

Yes, if you click that button from a standard user account, then it will
request credentials, the password on a admin account, to show all the
processes.

Thank you for confirming my intuition.

That's normal for a standard user. It's not showing all the processes on
the system that one would see by clicking on show processes from all
users.

Sure it's not showing all, but why is it showing any? I think it shouldn't
show any other users' processes until administrative credentials are input
(especially when the other users' processes are running as admin).

 

[Seth]

Thank you for confirming my intuition.


Sure it's not showing all, but why is it showing any? I think it
shouldn't show any other users' processes until administrative credentials
are input (especially when the other users' processes are running as
admin).

The additional processes you are seeing are system processes that are
running in the current users context.

 

[Norman Diamond]

The additional processes you are seeing are system processes that are
running in the current users context.

As shown in the screenshot, the additional processes are not system
processes and they are not running in the current user's context.
http://www.geocities.jp/hitotsubishi/unprivileged_taskmgr.png
Administrative user "soft1" is running user process "cmd.exe" in the context
of user "soft1". I can type input into that window. I still wonder why
standard user "$B1Q8l%f!<%6(B" was able to see processes owned by "soft1".

(For example, after posting, I typed the command line "taskmgr" and got a
second Task Manager window. As expected, the second one was owned by user
"soft1" instead of "$B1Q8l%f!<%6(B". As expected, that one did show system
processes. As expected, system processes were owned by user SYSTEM or LOCAL
SERVICE or NETWORK SERVICE.)

 

[Seth]

As shown in the screenshot, the additional processes are not system
processes and they are not running in the current user's context.
http://www.geocities.jp/hitotsubishi/unprivileged_taskmgr.png
Administrative user "soft1" is running user process "cmd.exe" in the
context of user "soft1". I can type input into that window. I still
wonder why standard user "$B1Q8l%f!<%6(B" was able to see processes owned by
"soft1".

But yoiu don't specify "how" those processes were launched. Are they
showing up form a previous WIndows session where they were launched and then
you "switched" users? Or were they run using "RunAs" from within the
current user context?

 

[Alun Harford]

As shown in the screenshot, the additional processes are not system
processes and they are not running in the current user's context.
http://www.geocities.jp/hitotsubishi/unprivileged_taskmgr.png
Administrative user "soft1" is running user process "cmd.exe" in the
context of user "soft1".

I doubt that. I suspect that "soft1" is running cmd.exe in the context
of "Administrators", which all users can see.

Alun Harford

 

[Norman Diamond]

But yoiu don't specify "how" those processes were launched. Are they
showing up form a previous WIndows session where they were launched and
then you "switched" users? Or were they run using "RunAs" from within the
current user context?

cmd.exe was launched using Vista's equivalent of "RunAs". That command
window and any programs started from that command window operate in the
context of user "soft1" not user "$B1Q8l%f!<%6(B". I still don't see why it is
considered acceptable for an instance of taskmgr.exe which is running in the
context of standard user "$B1Q8l%f!<%6(B" to display any of the tasks which run
in the context of a user other than "$B1Q8l%f!<%6(B".

(In contrast when another instance of taskmgr.exe was started by
administrative user "soft1" and that privileged instance showed everything,
that seemed reasonable to me.)

 

[Norman Diamond]

I doubt that. I suspect that "soft1" is running cmd.exe in the context of
"Administrators", which all users can see.

I doubt that. taskmgr.exe showed that cmd.exe is being executed by user
"soft1" not by "Administrators".

Meanwhile, why should all users be able to see applications that run in the
context of "Administrators"? taskmgr.exe properly refused to display
applications that run in the context of SYSTEM or LOCAL SERVICE or NETWORK
SERVICE. Why make an exception for Administrators, are they intentionally
less secure than LOCAL SERVICE?

 

[Frank Saunders, MS-MVP OE/WM]

cmd.exe was launched using Vista's equivalent of "RunAs". That command
window and any programs started from that command window operate in the
context of user "soft1" not user "英語ユーザ". I still don't see why it is
considered acceptable for an instance of taskmgr.exe which is running in
the context of standard user "英語ユーザ" to display any of the tasks which run
in the context of a user other than "英語ユーザ".

(In contrast when another instance of taskmgr.exe was started by
administrative user "soft1" and that privileged instance showed
everything, that seemed reasonable to me.)

So, either you gave the password for "soft1" or it doesn't have a password.
In the first case there is no security violation, in the second case the
lack of a password for "soft1" is the security violation.

 

[Norman Diamond]

So, either you gave the password for "soft1" or it doesn't have a
password. In the first case there is no security violation, in the second
case the lack of a password for "soft1" is the security violation.

Are you replying to my parenthetical remark? If so, I agree with you. I
added that parenthetical remark in order to point out how it differs from
the situation that I'm complaining about.

When standard user "英語ユーザ" started taskmgr.exe, this standard user did
not enter any password. Furthermore this standard user did not even click
the button to try showing processes owned by other users, and still did not
enter any password. So why did this standard user's instance of taskmgr.exe
display processes that are owned by a user other than this standard user? I
do not think the answer is because a completely separate operation involved
inputting a password for that completely separate operation. I think the
display by an unprivileged execution of taskmgr.exe, of processes owned by a
different user than the unprivileged owner of that instance of taskmgr.exe,
is a security violation.

Meanwhile administrative user soft1 had a password. Meanwhile standard user
英語ユーザ had a password. Did you have some purpose in adding this straw
man to the discussion?

 

[Seth]

cmd.exe was launched using Vista's equivalent of "RunAs". That command
window and any programs started from that command window operate in the
context of user "soft1" not user "$B1Q8l%f!<%6(B". I still don't see why it
is considered acceptable for an instance of taskmgr.exe which is running
in the context of standard user "$B1Q8l%f!<%6(B" to display any of the tasks
which run in the context of a user other than "$B1Q8l%f!<%6(B".

Even though you used "RunAs", it was still launched from the current users
context, so seeing it in Taskmgr isn't a security violation.

Now if you saw a process that "Soft1" launched via some other mechanism
(like via TELNET or something), that would be a security issue.