0

Xp IE user woes can or could have been prevented by running/browsing IE on a Limited account.

Definition:
Limited account: Assigning limited user accounts is an effective way to prevent inexperienced or unauthorized users from changing computer settings or deleting important files. Resource:http://www.microsoft.com/windowsxp/home/using/howto/gettingstarted/sharing/default.asp

This means Viruses,Trojans,Spyware,Addware,Backware,malicious scripts,malicious Codes ect........

comment made by: JOE SCHMOE
As far as I know there are still several unfixed security holes in IE dating back as far as 2 years. Hopefully these bugs will be fixed for windows users when Microsoft officially releases Windows XP SP2. Unfortunately SP2 might go as badly for some as SP1.

Big "B's Response: Run IE as a less privileged user, all bugs fixed without patching. Gee that was tough.

9
Contributors
16
Replies
17
Views
13 Years
Discussion Span
Last Post by WEATHER CHANNEL
0

"Big B's Response: Run IE as a less privileged user, all bugs fixed without patching. Gee that was tough."

Unless I'm missing something the problem is not with the account...it's the fact that IE, which operates with the OS at the system level, can be used to attain system level privileges or root which you may have heard of.

0

Unless I'm missing something the problem is not with the account...it's the fact that IE, which operates with the OS at the system level, can be used to attain system level privileges or root which you may have heard of.

Unless, I too, am missing something, wouldn't running as a limited user prevent this unauthorized access in the first place?

~Masta

0

The user is not the problem if the browser is calling functions at the system level. Just because the browser is opened by the user does not mean that all functions run by the browser are also run as that user...they're run on the system level. Say you hit a website and IE is trying to interpret script, the function to process that code is passed in a system level process. If that process executes code which is able to exploit a vulnerability in the OS the result could be system level privileges to execute the code of choice, the box is owned - root has been owned...because the process operates at the system level, which is independent of who is logged in or what rights they have. If they can run IE the problem still exists. Sure you could limit the users to be unable to run IE but that's not a very good solution. The culprit here is the OS itself...not the user. Patch the box!

0

Patch the box!

Agreed. Of course, using an alternative browser couldn't hurt. Although, I will admit, I have read about certain vulnerabilities, where, utilizing IE or not, could still give an attacker root on the machine. However, most would agree that using a less privileged account is going to mitigate many future vulnerabilities.

0


Big "B's Response: Run IE as a less privileged user, all bugs fixed without patching. Gee that was tough.

Yeah really!
People always ask me why I never patch my personal windows systems, well here is a fine example of seven worthless patches that I won't be applying. People it's not that hard to read a book or two.
Why I am not installing any of these.:

  • MS03-041:
    A properly configured system according to Microsoft's TFM should only allowed trsuted sites to execute ActiveX. I have included this and have gone above and beyond by configuring internet client software to run as the user CLIENT_NET which is a member of GUESTS. Even trusted code execution will be limited to this user's powers and not be able to make any non-password prompted changes to the user's environment.
  • MS03-042: Same as above
  • MS03-043: The TFM indicates the Messsenger service should be disabled unless it is remotely filtered (so for LAN use only).
  • MS03-044: The TFM suggests the disabling of the HCP protocol and users are to be directed to the local administration for support.
  • MS03-045: The utility manager should not be used by normal users and should be disabled, this is covered indirectly in the TFM as well.
  • MS03-046: The Exchange TFM discusses the value of filtering SMTP protocol extensions. IAS fills this role very nicely.
  • MS03-047: I use exchange server 2000.
  • You do the math

I really love how Microsoft lists the proper configuration as a work around as to not make people that failed to apply the proper configuration in the first place feel stupid. And people say they are evil. *wink*wink*

0

I dont see how this sloves anything as IE is run on the system level regardless of whos using it :) unstuck

0

Looking through alot of the troubles in most IE forums, a vast majority are using adminastrative accounts abviously. Less computer savey people (97% of the members)will not understand the benefits of a limited account and thats ashame IMHO.

I will post a sticky here on the correct usage of IE later.

0

Personally, I feel a Windows limited account is only a good solution for younger children on a family computer. Windows limited/admin accounts just aren't the same nor as powerful IMHO as *nix based accounts are. For example, in *nix, I am never a root user but in Windows I am always Administrator. I feel there are much stronger 3rd party forms of Windows security (i.e. Windows 2003 Server solutions, Novell Netware client for Windows, etc.)

1

Unless I'm missing something the problem is not with the account...it's the fact that IE, which operates with the OS at the system level, can be used to attain system level privileges or root which you may have heard of.

Yes, your missing alot, I can provide reading material to both you and FARANTH if you'd like.

The user is not the problem if the browser is calling functions at the system level. Just because the browser is opened by the user does not mean that all functions run by the browser are also run as that user...they're run on the system level. Say you hit a website and IE is trying to interpret script, the function to process that code is passed in a system level process. If that process executes code which is able to exploit a vulnerability in the OS the result could be system level privileges to execute the code of choice, the box is owned - root has been owned...because the process operates at the system level, which is independent of who is logged in or what rights they have. If they can run IE the problem still exists. Sure you could limit the users to be unable to run IE but that's not a very good solution. The culprit here is the OS itself...not the user. Patch the box!

What are you talking about, did you google this response? IE is a normal program which executes at the same level as whatever user is running it.
Although there have been many exploits in IE which give user level privileges, as far as I'm aware it has never been implicated in a local privilege elevation vulnerability (Of course many Windows users run everything as admin hence making the distinction rather academic).Think about it!

It's lies.. (your whole response)


You make no sense at all. Remeber IE is a program, not a service! Take a closer look at it's core capabilities and you'll quickly realize that there are many easier (and logical) places to attempt these types of attacks.

I dont see how this sloves anything as IE is run on the system level regardless of whos using it

Wrong, your in the same boat as anoied. (2nd time)IE is a normal program which executes at the same level as whatever user is running it.

wouldn't running as a limited user prevent this unauthorized access in the first place.

Yes,the fact that you are running it as a restricted level prevents root level scripts from running.
So I would say that affleck's sticky is correct he just did not go in to detail.
I know this is a Tech Support Site but we should not be ignorant to the fact that security is paramount & can be applied, all the while maintaining complete functionality.*wink*wink*
Let me just say this, people, if you do your taxes on your home PC and you are running on an admin account your identity amongst other things are at stake. (Your SS#, your life, and pretty much anything on the HDD).

Votes + Comments
Well Done on Support.
0

[snip]
You make no sense at all. Remeber IE is a program, not a service! Take a closer look at it's core capabilities and you'll quickly realize that there are many easier (and logical) places to attempt these types of attacks.
[/snip]

Uhhh... not exactly. IE's functionality is fully integrated into Windows at the lowest levels in all versions from Win98 on. For example, it's what allows the Quick Launch bar to work and provides the ability to view the desktop (Active Desktop) and folders as web pages. There are all kinds of vunerabilities that this causes: see http://www.secunia.com for several exploits that can be directly traced to IE's integration at this level. It was a bad idea 5 years ago and it's an even worse idea now!

0

[snip]Uhhh... not exactly. IE's functionality is fully integrated into Windows at the lowest levels in all versions from Win98 on. For example, it's what allows the Quick Launch bar to work and provides the ability to view the desktop (Active Desktop) and folders as web pages. There are all kinds of vunerabilities that this causes: see http://www.secunia.com for several exploits that can be directly traced to IE's integration at this level. It was a bad idea 5 years ago and it's an even worse idea now![/snip]

Ok,I did not have much time at my work to reply to this fully.
Your points have some truth to them Tallcool1, however, the specific reference I made is to privilege escalation, not buffer overflows and other vulnerabilities which are listed on the site that you pointed me to (but that's another topic). Sure, you will see a variety of issues with an app that is integrated with an OS but you will find a pattern of vulnerabilities which really do not include privilege escalation. Anyway, arguing with people who post uneducated guesses on a subject & people who do not understand security well enough to discuss it objectively is a really a dead-end.

I just had to correct the misleading drivel.I Couldn't believe the replies that I read in this thread. Tallcool1 I'm suprised you didn't correct Antioed a month ago, you being a moderator and all. I'm suprised all the moderators didn't see this and correct it either. Do you not have a legitimate IE forum mod or something?
I will post the correct usage of IE, how to configure the security zones, restricted sites, and how you allow it to handle cookies, Active X, etc....later tonight. Security is one of my forte's.
Anyone else want to throw in an opinion? Like I said I can provide reading material.

We will keep it simple for the ones who have lack of knowledge on the matter or who just failed to read the TFM in the first place.

*Close IE, *Open the Task Manager, *Re-open IE. Now look at the task manager. Under the User Name column, what does it say?

I thought so.....User Level Process! A user level process . That was a tough one.

Personally, I feel a Windows limited account is only a good solution for younger children on a family computer. Windows limited/admin accounts just aren't the same nor as powerful IMHO as *nix based accounts are. For example, in *nix, I am never a root user but in Windows I am always Administrator. I feel there are much stronger 3rd party forms of Windows security (i.e. Windows 2003 Server solutions, Novell Netware client for Windows, etc.)

Run a command promp as admin or in your case just open it up and type:

net users

Wow, what do we have here a attackers best friend times two. I don't even have to guess the login name. *wink*wink*

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.