Saturday, December 25, 2004 3:04 AM bart

PSP Episode 3 - Everyone = "including the bad guys"

Everyone = "including the bad guys"

Everyone should know the Everyone group in Windows. There's a problem however related to this group (otherwise I won't blog about it). Read on...

Anonymous users

Applications exposed to the entire globe typically need to be open for everyone without prior authentication. Anyone can connect to the application to find out information about certain things, to perform certain actions, etc. The internet is the number one example. Okay, that's great, but how can we control what anonymous unauthenticated users can do and what they can't do? As always, the answer should have to do with user rights, thus with ACLs. Great answer, isn't it? Not at all, how can we grant certain rights to an unknown user or how can we impersonate as a tokenless client? The solution is pretty simple however, there is a user called ANONYMOUS TOKEN (SID S-1-5-7). When an anymous user connects to the system, a special kind of session is created, called a null session. The anonymous user has very low privileges but it includes the Everyone group in its token. This explanation should be enough to understand the problem. For developers, when you need to impersonate as an anonymous user, you can use the Win32 ImpersonateAnonymousToken function but after reading this post, you might be thinking about running anonymous users with a fixed identity that you can control (which would make sense for sure).

What's in a name?

The word "Everyone" just tells us everything we need to know. It's really everyone, including anonymous users. Luckily, there's another group called Authenticated Users, which contains everyone but the ANONYMOUS LOGON. That is, the people we know since they have authenticated on the system. When ACLing, use Authenticated Users instead of Everyone.

Secure by default

Windows XP and Windows Server 2003 give an answer to these problems however by means of a local security policy called "Network access: Let Everyone permissions apply to anonymous users". When disabled (the default), this removes the Everyone group SID from the token of a null session, therefore denying access to resources available for Everyone. You should ook at this policy as a redefinition of the word Everyone. By default it's disabled and that's great. So, why bother about this at all. The answer is that this is still configurable, and when enabling it, your network might be open for attack. Authenticated Users still is a must to avoid this kind of problems.

Another great thing is that the LANManServer service used by Windows filesharing has some registry settings to control the behavior of null sessions. NullSessionShares and NullSessionsPipes tell the service to deny access to these resources by the anonymous user. By default, the parameters are configured to deny null sessions.

IIS = different

IIS does not use null sessions for anonymous access however. Instead, IIS impersonates anonymous users as the IUSR_%COMPUTERNAME% account, which is in fact not a bad idea at all, since it requires you to grant this account access explicitly to the files you want to expose to the web in an anonymous way. Nevertheless, IIS is a complex thing, which I'll be blogging about later when talking about application pools, ASP.NET usage, impersonation, and more.

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

Filed under:

Comments

# Bart's PSP (Personal Security Push)

Monday, December 27, 2004 6:34 AM by TrackBack

# Bart's PSP (Personal Security Push)

Monday, December 27, 2004 6:35 AM by TrackBack