Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


March 10, 2008

Strengthening Permissions on Hard Links

A Web Exclusive from FAQ for Windows
Randy Franklin Smith
JSIFAQ
InstantDoc #98515
FAQ for Windows
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Tips Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

11393» Strengthening Permissions on Hard Links (10-March-08)

How important is the System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) security option? Are there any drawbacks to enabling this setting?

Microsoft documentation says that this setting "strengthens" the ACL of share objects, including DOS device names (e.g., lpt1, com1) and objects called mutexes and semaphores that multithreaded applications use for synchronization. This setting also strengthens ACLs on hard links in NTFS. The only proven vulnerability I know of that this setting protects against involves hard links. Hard links are similar to shortcuts but integrate much more deeply into the file system. Shortcuts are .lnk files; hard links are actual directory entries in the file system. Hard links allow you to, in essence, put the same file into many different folders at once.

At any rate, there's a published exploit method that tells how to destroy a data file by creating a hard link that looks like a temporary file but points to the data file. The exploit works only if a program running on the system has a high level of authority and creates files with predictable names such as log0001, log002, and so on. For example, mod_gzip, a popular module that performs Web page compression for Apache HTTP Server, creates log files according to a predictable naming convention. An attacker anticipates the name of a temporary file the program will use in the near future and creates a hard link that looks like a temporary filename but actually points to the file that the attacker wants to destroy. When the program reaches the bogus temporary filename, it unknowingly overwrites the file targeted by the attacker. Enabling System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) prevents an attacker from exploiting mod_gzip or other programs that create files with predictable names. I run my systems with this setting enabled and haven't linked any problems to it. Therefore, I recommend enabling this setting as a standard policy.

< P CLASS="Byline">—Randy Franklin Smith

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Accessing Database Data with ADO

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Internet Explorer 8 Beta 2 Goes Public

Microsoft on Wednesday shipped the Beta 2 version of its upcoming Internet Explorer (IE) 8 Web browser. This version of the product, which will be made available free to Windows XP, Vista, 2003, and 2008 users, adds many functional advances and some new ...
Related Events Check out our list of Free Email Newsletters!
Related Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



Increase Application Performance
Free White Paper by Editor's Best winner, Texas Memory Systems.

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing