-
Notifications
You must be signed in to change notification settings - Fork 3
/
TODO
122 lines (74 loc) · 4.5 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
TODO:
append only files can be achieved by making sure that offsets passed to writefile are not less than the total size of the file
disable all non-TCP/IP / netbios protocols by default (with an additional option to enable)
(connect to \Device\AFD disable non tcp/ip stuff) (\device\netbios)
svchost.exe needs to be jailed by DLLs... each DLL will have its own policy
policy_include: additional.policy
add ability to deny logons to certain users
add a "signature" rule.. LocalSystem execution of different processes (especially cmd.exe) should be logged and possibly denied?
allow occasional rules to go through w/o logging? especially file & registry?
investigate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE
disable execution of certain applications based on their version (i.e. vulnerable IE) (from okena)
add sniffer & non-ip protocol detection (from okena)
COM/ActiveX interception
support for application clauses (chapter 6)
when creating an "exception" rule, MC can/should ask for whether the exception rule should be created on
the selected agent only, all agents of a certain type or all agents of all types
block debuggers
non-GUI/system apps cannot use GUI calls?
in server paranoid mode, allow only c:\program files\*.exe and c:\windows\*.exe to execute?
trusted path execution (execution of binaries from non-trusted directories (i.e world-writable))
(A trusted path is one that is inside is a root owned directory that is not group or world writable.)
explorer option.. "Run process in a sandbox.." brings up a gui that asks whether to allow file, reg, network access?
port to Itanium/AMD64
see if we can take over the job of a buffer overflow security exception handler
on win2k3 install custom BO exception handler that terminates a process
need to be able to control access to all device drivers (is this already handled by intercepting createfile?) is there another way to obtain a handle to a kernel driver?
disable modem access, etc
raw devices of all (mounted?) filesystems should be read-only
copy in all unicode strings, check them and then pass the kernel copies to the kernel to avoid race conditions?
disable our driver if loading using LastKnownGood configuration (notify MC?)
restrict reboot capability and certain programs only to interactive sessions?!
add ability to load what programs are allowed to run? (sha1 hashes, signed binaries)
investigate kernel32!CreateHardLink
dll_all: log will also log all section rules since RULE_DLL will be converted to RULE_SECTION
protect crypto keys
use ZwQueryProcessInfo ProcessVmCounters to keep track of amount of allocated process memory (execution time can be limited using job objects?! memory limit too?)
(or simply hijack malloc & free)
device naming on terminal servers
have a webpage which lists new vulnerabilities and whether our system would automatically protect against it
deallocate allocated virtual memory that was used by AS randomization once the process is loaded and initialized (what about dynamically loaded DLLs)?
create a policy check tool.. one of the things to lookout for is using "eq" and then specifying regex chars like * or ? in the filename
interactive learning mode
policy_ask user app should not run as an interative service but rather as a separate app running as a particular user
IIS install should scan the registry for any known virtual roots and automatically add them to the policy.. same for other apps
make sure that file-system protection cannot be subverted by accessing files by other means (\\127.0.0.1\share\file)
per-group policy, per-user global policy
network connect should be able to specify ports and not just ip addresses
address eq "127.0.0.1:443" then permit
address eq "0:443" then deny
address eq "\\UNCpath\blah" then log
address eq "www.porn.com:80" then deny
new product idea: Solaris BSM-like auditing (http://www.securityfocus.com/infocus/1362) for Windows
(compare to what audit logs native Windows Group/Security Policies can already generate)
posix 1003e
layers:
desktop
web server (iis, apache, netscape)
database server (oracle, MS SQL / access, Sybase, DB2, Informix, Interbase, MySQL)
terminal server
mail server
VPN server / remote access server
dns server
dhcp server
wins server
streaming media server
domain controller
file and print server
(application server – websphere, BEA websphere)
(collaboration server – IBM Lotus Domino)
client policies:
email (outlook, outlook express, eudora, netscape)
browsers (IE, netscape, opera)
IM (aol, yahoo!, msn, icq)
others (ms office, napster)