Andrey's Web Log

Cracking Windows Access Control paper prepared for Hack.lu 2007

ABSTRACT
Windows access control evolves from the original model to address actual security threats. In overall it becomes more and more complicated. Starting from Windows Vista, access control shifts towards mandatory access control (MAC). The shift is used to mitigate weaknesses of discretional access control (DAC) that relies upon user's settings. This paper discusses the main weaknesses of discretional access control such as privilege elevation through impersonation, complexity of configuration, ownership specific and uncontrollable objects. Then it describes how the issues partly resolved by new mandatory access control model also known as integrity levels. The main focus is given to the least privileges concept or so called "security boundary" that could be achieved by the combination of access control lists and integrity levels. Security boundary is required to reduce attack surface, damage caused by malware and targeted intrusions. While the recent access control developments help to enforce a real security boundary around untrusted applications, they have a number of described usage limitations. Finally, the paper concludes general inadequacy of discretional user based access control and advocates for true per-process permissions. As per-process permissions apparently are too complicated for a human administrator to configure properly, a solution is proposed addressing the complexity problem.