- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
December 02, 2006 | Comments: (0)
Does Vista's Windows Resource Protection protect enough?
I was playing with Vista's WRP last night and found that it does not completely protect many system files that you would expect it to protect.
Win ME's System File Protection and 2000 and XP's Windows File Protection protected about 99% of the files that were installed or upgraded by Windows. Delete, modify, or rename one of the protected files and the file would come right back. SFP and WFP didn't always restore the file with the correct permissions (it restored the parent permissions), but it indirectly stopped computer viruses from infecting most Windows system files. It stopped hoax virus victims from deleting protected files, and it even helped out last month when one of the popular antivirus programs was going around deleting legitimate Windows files accidentally.
Sadly, on my initial review it appears that WRP isn't nearly as protective as WFP. I looked forward to WRP because it protects registry keys too, and prevents protected files from being modified in the first place. SFP and WFP allowed the modification, but then undid it.
I demo'd this recovery behavior in WFP all the time in classes and presentations. I'd delete wscript.exe, wait a few seconds, and then watch it "magically" re-appear. Classes and audiences loved it. Linux didn't have that.
In Vista, it's much harder to delete a system file because of WFP and because all files are owned by the TrustedInstaller service by default. But if you are an Admin-level person, and Take Ownership of a file, add the appropriate ACE, then you can modify, rename, or delete protected resources.
In Vista last night, I took ownership of wscript.exe and then deleted it. Then I waited for it to re-appear. It never did. My friend Jesper Johansson told me that only Windows system files involved in the start-up are stored in the cache and replaced automatically. And he's right.
Here's a list of what WRP protects.
In checking \Windows\Winsxs\backup, I found nearly 2000 files (long names, but the file names they represent are in the longer file name). You'd be surprised as to what is and isn't covered. In WFP, if a protected file wasn't in the cache, the system would normally prompt you for an installation CD. In WRP, if the file isn't in the backup cache (and you can't modify or add to what's in the backup cache), you're out of luck.
I'm perplexed. In Vista we have a potentially better mechanism, that prevents modifications and protects registry keys, but it doesn't replace all modified or deleted system files? What is Windows Resource Protection when it doesn't fully protect a significant amount of Windows system files?
Yes, it takes a lot to mess with a System file in the first place, but I can see a virus, worm or bot automating what I did manually. Or an updated hoax virus warning with " removal instructions".
Ah, I'm just upset that a good demo is gone using a file I didn't mind losing if it didn't work in the first place.
Posted by Roger Grimes on December 2, 2006 11:56 AM
RATE THIS ARTICLE:
-
- COMMENTS
Well, if this article were posted on an MSDN blog, with the team that developed the technology, I am sure we would have a discussion that revealed the validity of the observation.
As it is, this article doesn't really give insight and just presents a possible "might not be that protective". Which is really just speculation at this point.
As a technical person myself, these kinds of articles hold no value because they aren't part of a discussion which is open to all parties (such as being discussed on a team site or technical blog).
-----------
Roger's Reply:
Thanks for reading and writing.
(I'm always amazed how me bringing up a subject somehow disappoints a reader.)
WRP has been discussed in private Microsoft forums that I belong to that are full of Microsoft technical people. I, and others, have done hours of WRP testing to figure how it works, beyond the minimum documentation available at this point.
I don't belong to many of the public forums, because to be honest, they aren't that helpful overall. Too much noise and not enough technical discussion. But I welcome you presenting the topic in any forum you wish, so you can participate in those debates and information sharing. If you learn anything beyond spectulation and opinion, please come back to share.
I've presented some facts, and what the experts on the different sides of this topic are saying comes down to their opinion.
It is a little harder for anyone, including an Administrator, to modify a Windows system file. But programmatically, it can be done, and malware and hackers will use the vector to modify files that they could not have accomplished in the past with WFP.
You'll not find a single malware program, out of the hundreds of thousands, that was successful at modifying a single Windows system executable in 2000 or XP, because of WFP. But it will be possible in Vista because of WRP. That's a fact.
To be honest, since there is zero chance this feature will change anytime soon, why argue too much one way or the other?
Posted by: toast at December 2, 2006 06:55 PMTOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
