delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/1997/06/20/00:04:23

From: *jeffdb AT netzone DOT nospam DOT com (Mikey)
Subject: Re: EXE has file junk in it
20 Jun 1997 00:04:23 -0700 :
Approved: cygnus DOT gnu-win32 AT cygnus DOT com
Distribution: cygnus
Message-ID: <33aa1a9f.12200148.cygnus.gnu-win32@smtp.netzone.com>
References: <339AE088 AT gandalf DOT optimedia DOT co DOT il>
Reply-To: *jeffdb AT netzone DOT nospam DOT com
Mime-Version: 1.0
Original-To: "Vassilii Khachaturov" <vassilii AT optimedia DOT co DOT il>, gnu-win32 AT cygnus DOT com
In-Reply-To: <339AE088@gandalf.optimedia.co.il>
X-Mailer: Forte Agent 1.01/32.397
Original-Sender: owner-gnu-win32 AT cygnus DOT com

Does anyone have any clues as to a (fast) function that could be used to fill the
file with 0's from win32_whence to OLD_FILE_END after a SetFilePosition()
past FILE_END?

The following is the only (free ;^) information I could find about C2 security
settings for NT, no mention was make of win95, so I guess the rest of us
are SOL :^(.

and I quote.


nManager: 

Name: ProtectionMode 

Type: REG_DWORD 

Value: 1 

This registry setting informs the Windows NT Session Manager that security on the base system objects should be at C2 security level. Please refer to Appendix D of the Windows NT Resource Kit,
Version 4.0 Update Guide for the impact of this setting. 


Enabling System Auditing

Enabling system auditing can inform you of actions that pose security risks and possibly detect security breaches. 

To activate security event logging, follow these steps: 

     1.Log on as the administrator of the local workstation. 
     2.Click the Start button, point to Programs, point to Administrative Tools, and then click User Manager. 
     3.On the Policies menu, click Audit. 
     4.Click the Audit These Events option. 
     5.Enable the options you want to use. The following options are available: 

                    Log on/Log off: Logs both local and remote resource log ons.
                    File and Object Access: File, directory, and printer access.
                    Note: Files and folders must reside on an NTFS partition for security logging to be enabled. Once the auditing of file and object access has been enabled, use
                    Windows NT Explorer to select auditing for individual files and folders.
                    User and Group Management: Any user accounts or groups created, changed, or deleted. Any user accounts that are renamed, disabled, or enabled. Any
                    passwords set or changed.
                    Security Policy Changes: Any changes to user rights or audit policies.
                    Restart, Shutdown, and System: Logs shutdowns and restarts for the local workstation.
                    Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit. 

     6.Click the Success check box to enable logging for successful operations, and the Failure check box to enable logging for unsuccessful operations.
     7.Click OK. 

Note that Auditing is a "detection" capability rather than "prevention" capability. It will help you discover security breaches after they occur, and therefore should always be considered in addition to
various preventive measures. 

Auditing Base Objects

To enable auditing on base system objects, add the following key value to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa: 

Name: AuditBaseObjects 

Type: REG_DWORD 

Value: 1 

Note that simply setting this key does not start generating audits. The administrator will need to turn auditing on for the "Object Access" category using User Manager. This registry key setting tells
Local Security Authority that base objects should be created with a default system audit control list. 

Auditing of Privileges

Certain privileges in the system are not audited by default, even when auditing on privilege use is turned on. This is done to control the growth of audit logs. The privileges are:

       Bypass traverse checking (given to everyone)
       Debug programs (given only to administrators)
       Create a token object (given to no one)
       Replace process level token (given to no one)
       Generate Security Audits (given to no one)
       Backup files and directories (given to administrators and backup operators)
       Restore files and directories (given to administrators and backup operators)

1 is granted to everyone, so is meaningless from auditing perspective. 2 is not used in a working system and can be removed from the administrators group. 3, 4, and 5 are not granted to any user
or group and are highly sensitive privileges and should not be granted to anyone. However, 6 and 7 are used during normal system operations and are expected to be used. To enable auditing of
these privileges, add the following key value to the registry key HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa: 

Name: FullPrivilegeAuditing 

Type: REG_BINARY 

Value: 1 

Note that these privileges are not audited by default, because backup and restore is a frequent operation and this privilege is checked for every file and directory backed up or restored, which can
lead to thousands of audits filling up the audit log in no time. Carefully consider turning on auditing on these privilege uses. 

Shutdown Option on Full Audit Log

In a C2-configured system, the auditing system of Windows NT provides an option to the administrator to shut down the system when the security audit log is filled up. To enable this, use the
following key value in the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa: 

Name: CrashOnAuditFail 

Type: REG_DWORD 

Value: 1 

With this setting, the system will shut itself down when audit log full is detected. The value in the registry is reset to 2. When the system is rebooted, it only allows the administrators to log on to
the machine (locally or remotely). They will be required to clean the audit log (or archive it), reset the value to 1, and reboot the system before any other user is allowed to log on. 


C2 Security

The National Computer Security Center (NCSC) is the United States government agency responsible for performing software product security evaluations. These evaluations are carried out against
a set of requirements outlined in the NCSC publication Department of Defense Trusted Computer System Evaluation Criteria, which is commonly referred to as the "Orange Book." 

Windows NT has been successfully evaluated by the NCSC at the C2 security level as defined in the Orange Book, which covers the base operating system. 

In addition, Windows NT is currently under evaluation for its networking component of a secure system in compliance to the NCSC's "Red Book." The Red Book is an interpretation of the Orange
Book as applies to network security. 

Some of the most important requirements of C2-level security are the following:

       The owner of a resource (such as a file) must be able to control access to the resource. 
       The operating system must protect objects so that other processes do not randomly reuse them. For example, the system protects memory so that its contents cannot be read after a
       process frees it. In addition, when a file is deleted, users must not be able to access the data from that file.
       Each user must identify him or herself by typing a unique log on name and password before being allowed access to the system. The system must be able to use this unique identification to
       track the activities of the user.
       System administrators must be able to audit security-related events. Access to this audit data must be limited to authorized administrators.
       The system must protect itself from external interference or tampering, such as modification of the running system or of system files stored on disk. 

Additional C2 Evaluation Information

If you need to set up a C2-certifiable system, see Chapter 2, "Microsoft Report on C2 Evaluation of Windows NT." That chapter lists the hardware configurations in which Windows NT has been
evaluated. Chapter 2 also specifies the set of features that were implemented for C2 evaluation so that you can duplicate them if necessary for your own C2-certifiable system. These features are
essentially those recommended for high-level security in this chapter. 

For your C2 certification, you will need to choose the combination of security features described in this chapter, in Chapter 2 of Windows NT Server Networking Guide, and in the Windows NT
documentation that fits your particular combination of resources, personnel, work flow, and perceived risks. You might also want to study Appendix B, "Security in a Software Development
Environment," especially if you are using custom or in-house software. This appendix also provides information on managing and interpreting the security log and technical details on special-case
auditing (for example, auditing base objects). 


Setting up a C2-compliant System

To make it easier to set up a C2-compliant system, the C2Config application has been created and included in the Windows NT 4.0 Resource Kit. C2config.exe lets you choose from the settings
used in evaluating Windows NT for C2 security, and implement the settings you want to use in your installation. For details, see the online Help included with the application. 

On Sun, 08 Jun 97 18:41:00 I, you wrote:

>
>Some security standard "C2"  that NT is said to confirm to, states that
>no process can see data from another process in a similar manner
>(it also sais that if you delete something on the disk or in the memory,
>it must be zeroed).
>
>There is a switch in the NT registry that controls if this feature (zeroing) 
>is on.
>In 3.5, it was on by default,
>in 4.0 -- off by default.
>
>Unfortunately, I don't remember the exact key location...
>There is C2 configuration utlity which comes in Resource Kit...
>(called c2config.exe or something like that)
>I think it will help you to locate the thing..
>
>It might happen that the same switch also works on win95, but is just
>off by default.
>   <omitted>
>The reason for this is probably that 'ld' is doing an fseek past the end of
>the file, or is setting the file pointer beyond the end of the file. Under
>Unix the new contents will be zero filled, under windows 95 they will 
>contain
>some memory contents from the swap file. If you were editing some text files
>just before the link, those discarded pages from your editor will end up in
>the executable!!!
>
>If I am right, you linked under windows 95. Please confirm this. I would 
>like
>to know if this theory is correct.

-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request AT cygnus DOT com" with one line of text: "help".

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019