Suggestion how to improve the windows security

Discussion in 'Windows 10 Software' started by Robert Diao, May 16, 2017.

Tags:
  1. Robert Diao

    Robert Diao New Member

    Joined:
    May 16, 2017
    Messages:
    4
    Likes Received:
    2
    The current Windows is too vulnerable!
    For example, the Windows can be damaged even if I just clicked an attached file in a email.

    The root reason is that all the applications(or exec files) inherit the total privilege from login user's !!!!! We can't define a privilege to some special apps. In the modern OS, the access management basing on application level(not user level) is much needed.

    As an network security engineer, I have been looking forward the function for many many years. As I know, the function has been supported by Linux group. The AppArmor and Selinux in Linux are a good method to achieve the OS's security.

    So, my suggestion as below:
    1. The application level access lists can be supported. (Just like AppArmor, or Selinux)
    2. In order to customers to use it, the default configuration as below:
    * Windows Kernel can access any folder and resource
    * Formally installed Application can access its home folder and privileged resource when it is installed.
    * Uninstalled Application or exec files, they only access an temporary folder.
    3. Using a management tool, above access lists can be modified for every applications or exec files.
     
    #1 Robert Diao, May 16, 2017
    Last edited: May 16, 2017
    bochane likes this.
  2. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    3,158
    Likes Received:
    491
    I believe there is room for clarification on Windows security. With most malware infections occurring due to the fact that most home users use an account that belongs to the administrators group. This is a bad practice on Microsoft's part.

    Windows Security Features
    • ACEs and ACLs
      • These grant access to securable objects either by user or group membership. A secureable object can be a named pipe, file, directory, service, registry, access token to name a few
    • Mandatory Labelling w/ NO WRITE UP
      • There are three mandatory labels LOW, MEDIUM, and HIGH. These come into place when writing data and accessing data and every process runs at a given label and can only write to a file or directory of the same or lower label. All users and user processes run at a MEDIUM label level and important resources such as operating system files require a HIGH label level to access. This is where UAC comes into play, again tied into administrator accounts
    • Privileges
      • These provide access to system operations and tasks. An example of a privilege is shutdown the computer. You can configure to allow only certain users to even turn off the computer. These are generally locked down and also only editable from a Pro or Enterprise copy of Windows with secpol.msc management console. Often used for setting up application server required privileges
    • UAC (User Access Control)
      • This actually runs in a separate session which the user and user applications can not access to prevent user space malware from being able to bypass it through conventional means. (When you see the UAC pop up, your screen is actually switched to session 1 and what you see is a screenshot of your desktop overlay-ed with the consent prompt.
      • During normal operation of a computer (even if you are using an account of the administrators group you are running as a regular user at MEDIUM label level) One of functions of UAC is, provided you are a member of the administrators group, is that it will create a special user access token with HIGH label level access. So in essence an administrator has two accounts with the same name yet different access levels.
      • UAC also allows for virtualization of application execution, it's used to allow normal users to modify special virtualized resources they don't normally have access to. They are stored in %USERPROFILE%\Appdata\Local\VirtualStore this is normally a system hidden directory. This helps minimize the impact of potentially bad software localizing the problem to a given account and not allowing it to affect the entire system
    These are just some of the controls. So in short running a Windows system as a standard user can greatly reduce malware from compromising your system. This coupled with a solid anti malware suite, local firewall, regular patching, disabling unused components and eliminating unnecessary software can help greatly protect your system.
     
    bochane likes this.
  3. Robert Diao

    Robert Diao New Member

    Joined:
    May 16, 2017
    Messages:
    4
    Likes Received:
    2
    Hi Neemobeer,

    Thanks for your clarification. But I supposed you misunderstood my suggestion, as your solution is still basing on the user level, not basing on app level.

    ACEs and ACLs
    • 1. These grant access to securable objects either by user or group membership. A secureable object can be a named pipe, file, directory, service, registry, access token to name a few
    • [Robert Reply]: "These grant access to securable objects either by user or group membership" as you said. But what I want is "These grant access to securable objects not only by user or group membership, but also by application"
    • 2. Mandatory Labelling w/ NO WRITE UP
    • [Robert Reply]: The function is still basing on user, not basing on application
    • 3. Privileges
    • [Robert Reply]: The function is still basing on user, not basing on application
    • 4. UAC (User Access Control)
    • [Robert Reply]: The function is still basing on user, not basing on application
    In order to clarify what I want , I can make a example as below:
    step 1: login to the windows with no-administrator account.
    step 2: run the outlook, check all emails
    step 3: If I click an apps or exec files attached in a email, the apps or exec file can only access a temporary folder(such as: c:\user\user\temp\). Any other folders are not allowed to be access by the apps or exec file. And the apps or exec can not call the hook function.

    Do you think the windows can meet this kind of requirements?

    Thanks a lot.

    Robert Diao
     
  4. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    3,158
    Likes Received:
    491
    This would make applications useless. If I open say Word and call it can access is a temp folder, how would you save a file? Or perhaps The application has it's own ACE to my directory, but then what if I need to use that application to edit a system file. If it's blocked then I have to way to make the change.

    As to whether or not Microsoft could add the security layer I'd say probably. Whether or not they do I can't say.
     
  5. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,709
    Likes Received:
    356
    this thinking is why the windows programs folder is the very last place any sane person would install their programs
     
  6. Robert Diao

    Robert Diao New Member

    Joined:
    May 16, 2017
    Messages:
    4
    Likes Received:
    2
    Hi Neemobeer,

    For those installed application(such as "Word"), you can open more resources or folders when you install it. So you can use the word to open/create/save a file
    For those un-installed applications, they are not allowed to access other folders or resources by default.

    Of course, we can can above rule for special cases.

    I really hope the Windows can provide this function.
     
  7. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    3,158
    Likes Received:
    491
    I think this would require a lot of work and careful planning but may work. Some things that would need to be considered. Almost every application does access Windows libraries so they still need to be able to access system resources and my thinking is that if the application runs as the application and not a user that application would still require an access token so in a way the application context that you're suggesting would still be like a user. To me this would just add a lot more complexity to the operating system and would be similar to running as a user and adding complexity always reduces security even if that complexity is for the purpose of security.
     
  8. Robert Diao

    Robert Diao New Member

    Joined:
    May 16, 2017
    Messages:
    4
    Likes Received:
    2
    Hi Neemobeer,

    I totally understand the requirement is kind of challenge to Windows DEV team, as it is very complicated.

    The Linux Group has to change their Linux Kernel in order to support the AppArmor and SeLinux. I think the Windows OS has to change its design and lower libraries to support the feature.

    However, I still think the feature is a critical requirement for the modern OS.

    Let's look back the history of OS.
    The first successful OS is Unix. During that period 1960 to 1980, the most scenario as below:
    * Multiple Users shared one physical computer, as the computer was so expensive.
    *The most users were specialists or software developer.
    If considering above two facts, the Unix was designed to control resource by USER level, not execute file level.

    However, the scenario has been changed by today
    *One User can have multiple computers
    *The most users are family user. They don't have deep background of software developing.
    So, the resource control basing on USER level is not enough any more. The application level become critical.

    As a network security engineer, I totally understand that it is an very big challenge to make a new perfect solution to meet the requirement.

    In my dream, I think the next generation OS should provide below functions:
    * The privilege basing on the Application Level. (We have discussed before)
    * The privilege agent interface to application. (For example: An application of "Python" is privileged to resource A,B,C. Python can restrict the script_1 to the resource A)
    * The lower level system call can identify whether the request is from the Desktop or just a background program.

    I believe the Windows team have strong ability to provide more security new OS to customers.

    Thanks a lot.

    Best Regards

    Robert Diao
     
    bochane likes this.

Share This Page

Loading...