Executive Summary: When using the search path to resolve a command name, Windows attempts to match the command name to file-based commands in the folders in the path. If you don't specify a file extension for the command, Windows Explorer automatically searches for files with the extensions .com, .exe, .bat, or .cmd. This search process is useful but has some quirks. Applications—particularly older ones—might add their own directories to the search path, possibly ahead of Windows' intended first search folders. Malicious coders might also use pathext to make Windows identify common command names such as regedit with their application files. Tools such as Windows Vista's User Access Control (UAC) don't solve the search problem. If you're performing an administrative task and have already elevated your privileges in a subshell, invasive code will run with no special prompting. However, on systems that don't need significant command-search customization, you can do some tweaking to make it very difficult for an attacker to use command search to escalate privileges. The tweaking simply involves locking down the search path wherever possible, modifying and locking down the pathext variable, and maintaining security for the folders used in the search process.
The Windows search path represents a significant potential vulnerability on many systems. I'll explain why, then show you how you can minimize the vulnerability by identifying machines that don't need modified command search and locking them down. . . .
Free Online Event! Virtualization:Get the Facts! Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!
Ease Your Scripting Pains with the Flexibility of PowerShell! Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!
Latest Advancements in SSL Technology There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Maximize Your SharePoint Investment: Get Your Data Moving Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Register
