From: Vi...@thebeach.u-net.com (Vijay Bhakta)
Subject: Security flaw with Office97
Date: 1997/07/16
Message-ID: <33cc7dd4.5378994@news.u-net.com>#1/1
X-Deja-AN: 257167724
Organization: U-NET Ltd
Reply-To: vi...@thebeach.u-net.com
Newsgroups: comp.os.ms-windows.nt.admin.security
Hi,
We have come across what seems to be a serious flaw with the NTFS
security required by Office97.
We have set our NT 4.0 workstations with the tightend security as
shown in the resource kit as we dont want the user to have write
access to any part of the hard drive (with the exception of c:\temp).
We started getting a few funnies with office, which we couldnt work
out, looking thru Technet revealed a worrying article - Q169387
"OFF97: Security Requirements when using NTFS Partitions"
What this article basically says is that you need to give read/write
permissions to c:\, c:\winnt, c:\winnt\forms and directories under
c:\Program Files\Microsoft Office.
The article is here ->
http://www.microsoft.com/kb/articles/q169/3/87.htm
has anyone else addressed this problem, because, as it stands now - we
will not be allowed to install Office97 anywhere.
Thanks
Vijay Bhakta
Vijay Bhakta
http://www.thebeach.u-net.com
From: dlebl...@mindspring.com.remove-this (David LeBlanc)
Subject: Re: Security flaw with Office97
Date: 1997/07/17
Message-ID: <33cd6069.942113998@news.mindspring.com>#1/1
X-Deja-AN: 257372836
References: <33cc7dd4.5378994@news.u-net.com> <5qj8et$3s8@apache.dtcc.edu>
X-Server-Date: 17 Jul 1997 00:15:11 GMT
Organization: MindSpring Enterprises
Newsgroups: comp.os.ms-windows.nt.admin.security
we...@apache.dtcc.edu (Ken Weaverling) wrote:
>In article <33cc7dd4.5378...@news.u-net.com>,
>Vijay Bhakta <vi...@thebeach.u-net.com> wrote:
>>Hi,
>>We have come across what seems to be a serious flaw with the NTFS
>>security required by Office97.
>Oh joy, why am I not surprised? :-(
Maybe because you're overly pessimistic?
>>What this article basically says is that you need to give read/write
>>permissions to c:\, c:\winnt, c:\winnt\forms and directories under
>>c:\Program Files\Microsoft Office.
>I found this hard to believe, but sure 'nuff...
> * The following folders must have read/write permission:
> C:\
> C:\Temp
> C:\Winnt
> C:\Winnt\Forms
> C:\Winnt\System32
> C:\Program Files\Microsoft Office
> C:\Program Files\Microsoft Office\Office
>This begs the question "What's the point of having security in the first
>place?"
Not at all. If you think about what you can really do here, it isn't
that big a deal. Somewhat annoying, yes, but nothing you can't work
with. What you want to do is to allow the users _change_ permission
to these directories at the directory level. However, the files
within these directories can (and should) be RX (read) for normal
users. If the user only has change permissions at directory level,
they cannot delete any file they do not own (or have D access to) - so
your system files are quite safe. The only mischief they can get into
is with the temp files which are actually written.
>How am I supposed to set up a "ZAK app station" if my users can
>install and/or write anything they want from the root directory, bin
>directory, etc?
See above. Install NT, lock down the system files to RX only for
users, then set the above directories to change for users. Also, the
\winnt\profiles directory has bad permissions - fix it while you're in
there. Now install Office as admin - admin now _owns_ all of those
files. Set directory and file permissions as above, and go back and
loosen the files in the list. The users can now use Office, but
cannot tamper with any files which are either part of the OS, or files
you put there.
They can also write other new files to those directories, which isn't
an especially good thing, but they certainly can't muck with what was
there before them. If you want to be clever about it, audit those
directories, and write a script to nuke off any new files which you
don't approve of - dump the event log to text, grep out what you want,
then zap them.
Then you write a nasty-gram to the Office people and tell them to get
a clue about security. Having stupid apps that think they need to
write all over the system directories is completely ridiculous.
However, just throwing up your hands and deciding it can't be secured
isn't an effective response. You need to do the best you can with
what you've got - think in terms of solutions. You may not be able to
make it ideal, but you can certainly make it better.
David LeBlanc |Why would you want to have your desktop user,
dlebl...@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy
From: jer...@netcom.com (Jeremy Allison)
Subject: Re: Security flaw with Office97
Date: 1997/07/17
Message-ID: <jeremyEDH4Au.Iyp@netcom.com>#1/1
X-Deja-AN: 257494241
Sender: jer...@netcom13.netcom.com
References: <33cc7dd4.5378994@news.u-net.com> <5qj8et$3s8@apache.dtcc.edu>
<33cd6069.942113998@news.mindspring.com>
Organization: Netcom On-Line Services
Newsgroups: comp.os.ms-windows.nt.admin.security
dlebl...@mindspring.com.remove-this (David LeBlanc) writes:
>Maybe because you're overly pessimistic?
I don't think so.
>> * The following folders must have read/write permission:
>> C:\Winnt\System32
>Not at all. If you think about what you can really do here, it isn't
>that big a deal. Somewhat annoying, yes, but nothing you can't work
>with. What you want to do is to allow the users _change_ permission
>to these directories at the directory level. However, the files
>within these directories can (and should) be RX (read) for normal
>users. If the user only has change permissions at directory level,
>they cannot delete any file they do not own (or have D access to) - so
>your system files are quite safe. The only mischief they can get into
>is with the temp files which are actually written.
David, what about the announcement on the NT security list
that the Win32 subsystem will read lower case files before
it reads mixed or upper case files. In which case the
users install a trojan horse using the POSIX subsystem
(which allows files with differing case) directly into
the Win32 directory - effectively replacing a system .DLL.
Now I know that there *aren't* any such trojans right
now. But I bet there are people actively working on them
(and I bet we both know their names too :-).
The missing step here is to go through and rename
*everything* in SYSTEM32 to lower case.
>They can also write other new files to those directories, which isn't
>an especially good thing, but they certainly can't muck with what was
>there before them. If you want to be clever about it, audit those
>directories, and write a script to nuke off any new files which you
>don't approve of - dump the event log to text, grep out what you want,
>then zap them.
Now that's a good idea - but it's rather a rigmarole to go
through - and it won't fix someone using a transient trojan
.DLL to break security - if a system .DLL can be masked via
case.
>Then you write a nasty-gram to the Office people and tell them to get
>a clue about security. Having stupid apps that think they need to
>write all over the system directories is completely ridiculous.
>However, just throwing up your hands and deciding it can't be secured
Good luck getting them to listen unless you have a *lot* of
money in your hand - after all, until people stop buying this
stuff as it is so poorly designed, what's the incentive
for it to be improved ? And after all, when people are
actually sending Word documents (an undocumented format) and
seriously proposing that this be made a company 'standard'
(now that's a laugh, Word documents aren't even a standard
between different versions of Word, let alone across other platforms)
then what choice do you really have ?
Jeremy Allison.