Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


March 10, 2008

Strengthening Permissions on Hard Links

A Web Exclusive from FAQ for Windows
Randy Franklin Smith
JSIFAQ
InstantDoc #98515
FAQ for Windows
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Tips Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

11393» Strengthening Permissions on Hard Links (10-March-08)

How important is the System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) security option? Are there any drawbacks to enabling this setting?

Microsoft documentation says that this setting "strengthens" the ACL of share objects, including DOS device names (e.g., lpt1, com1) and objects called mutexes and semaphores that multithreaded applications use for synchronization. This setting also strengthens ACLs on hard links in NTFS. The only proven vulnerability I know of that this setting protects against involves hard links. Hard links are similar to shortcuts but integrate much more deeply into the file system. Shortcuts are .lnk files; hard links are actual directory entries in the file system. Hard links allow you to, in essence, put the same file into many different folders at once.

At any rate, there's a published exploit method that tells how to destroy a data file by creating a hard link that looks like a temporary file but points to the data file. The exploit works only if a program running on the system has a high level of authority and creates files with predictable names such as log0001, log002, and so on. For example, mod_gzip, a popular module that performs Web page compression for Apache HTTP Server, creates log files according to a predictable naming convention. An attacker anticipates the name of a temporary file the program will use in the near future and creates a hard link that looks like a temporary filename but actually points to the file that the attacker wants to destroy. When the program reaches the bogus temporary filename, it unknowingly overwrites the file targeted by the attacker. Enabling System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) prevents an attacker from exploiting mod_gzip or other programs that create files with predictable names. I run my systems with this setting enabled and haven't linked any problems to it. Therefore, I recommend enabling this setting as a standard policy.

< P CLASS="Byline">—Randy Franklin Smith

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Microsoft Delivers Service Pack 2 Beta 2 for Vista, Server 2008

Microsoft on Tuesday announced the availability of the Beta 2 version of Service Pack 2 (SP2) for Windows Vista and Windows Server 2008. Since both operating systems were developed from the same code base, they have a common servicing structure and thus ...

Windows Live Wave 3 Services Launch Begins

Late Tuesday, Microsoft began rolling out the services portion of its Windows Live Wave 3 launch. The company is shipping an unprecedented number of new and improved services that build off the success of Hotmail and Windows Live Messenger and attempt ...
Related Events Check out our list of Free Email Newsletters!
Related Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing