[14421] in bugtraq
Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W
daemon@ATHENA.MIT.EDU (DeAvillez, Carlos)
Mon Mar 27 17:16:51 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF95B3.B48B09DE"
Message-Id: <F91320BA2EA7D311B01400A0C9DF88FB4244AF@csgexmail1.csg.stercomm.com>
Date: Fri, 24 Mar 2000 11:09:24 -0600
Reply-To: "DeAvillez, Carlos" <Carlos_DeAvillez@STERCOMM.COM>
From: "DeAvillez, Carlos" <Carlos_DeAvillez@STERCOMM.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF95B3.B48B09DE
Content-Type: text/plain;
charset="iso-8859-1"
(a copy of this e-mail has also been sent to NTBugTraq)
This is a summary of answers I got on this. Summing it all up, it seems that
the "Hide Drivers" policy simply does not protect you, no matter what you
do, whether you are running Office 97/98/2K, or anything else.
Markus Buchhorn [markus@acsys.anu.edu.au] pointed that this seems to be a
problem also with Office 2000:
> It's a problem in (all of) Office2k as well - Office2k-SR1 mentions a fix:
> http://support.microsoft.com/support/kb/articles/q245/0/21.ASP
> "Q249949 OFF2000: Policy to Hide Drives Ignored in Office Programs "
> http://support.microsoft.com/support/kb/articles/Q249/9/49.ASP
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
Scott Talkovic [satalkov@uci.edu] went on a longer discussion:
> Users can usually get to the drives using other methods too...for
instance,
> within applications such as FTP, or, if available, by clicking on
Start/Run
> and typing in the drive letter. I also wouldn't be surprised if someone
> could also call a batch file that would bring up the "hidden" drives or
> perhaps, if they can get to a shortcut's properties, use the browse button
> on the properties sheet (under Change Icon) to browse the drive. They
might
> also be able to use Find to find files on a hidden drive if they manually
> type in the drive letter to search. If it finds something, then they could
> probably use the "Open Containing Folder" option in the Find tool to get
> access to the drive. I would verify these possibilities for you, but I
don't
> have enough time right now. I do know for a fact that we can use FTP to
> browse the hidden drives on these workstations. I've done that before. As
> you can see, it's probably impossible to totally "hide" drives from
users...
> Because of this, we always use NTFS and/or share permissions to protect
> files on the drives. We also only map those drives that are needed at the
> workstations.
I set up a "Hide Drivers" policy where ALL drivers, except one network
drive, would be blocked. I then tested Windows Explorer and indeed only the
network driver was visible. But when I started a MsDOS session (cmd.exe), I
was put in my system's default path for DOS
(C:\WinNT\Profiles\<user>\DeskTop), which should have been blocked (but look
at the KB Q249949 above). Hum anyway.
I then launched Find Files, and I was able to see all my drivers if I
explicitly selected then. Hum.
Jos Fotinos [sw_fotinos@hotmail.com] also pointed out that:
> (...)
> But opening documents inside word
> entering c:\ as an adress inside the explorer deliviers simular results.
Thmas Seck [thomas.seck@stadt-bornheim.de] also offered another way,
> there is a much easier way to circumvent this policy.
>
> Use Filemanager (winfile.exe).
16-bit app, leftover from Win3... cool.
>
> Only Explorer and Explorer-based file dialogs care about these registry
keys.
And finally Sean Alderman [SAlderman@FREITRATER.COM] said:
> I use similar restrictions on Windows 9X policies. You may also notice
that
> any 16bit File Open API will allow you to see all local and mapped drives.
> (...)
> I would suggest checking the other File Open dialogs in apps like Office
and
> maybe some 32bit non MS apps. The 16bit dialog does not allow you to
> perform edit ops like the 32bit dialog does. I have not noticed any
issues
> with this in my Office 97 installations.
> (...)
This seems to be quite broken.
As far as I can understand, only the casual user will ever be blocked here.
I also wonder if there is any chance of the "Hide Drivers" policy ever
working. It is probable that the best (and, perhaps, the only) way of
blocking access to different drivers is by using NTFS and acls.
Maybe the Office 2000 SR1 will succeed in block it at the Office
(application) level, but this is only a minor point here. If I cannot open a
document with Office (on a restricted system), I can still ftp it over
somewhere else and open it (on a non-blocked system).
One might also say this is what happens when security is implemented at the
application (user) level, instead of at the kernel level...
Regards,
..Calado..
------_=_NextPart_001_01BF95B3.B48B09DE
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>Hide Drives does not work with OUTLOOK 98 - Summary of Answers =
(WInNT4)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">(a copy of this e-mail has also been =
sent to NTBugTraq)</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">This is a summary of answers I got on =
this. Summing it all up, it seems that the "Hide Drivers" =
policy simply does not protect you, no matter what you do, whether you =
are running Office 97/98/2K, or anything else.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Markus Buchhorn =
[markus@acsys.anu.edu.au] pointed that this seems to be a problem also =
with Office 2000:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> It's a problem in (all of) =
Office2k as well - Office2k-SR1 mentions a fix:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> <A =
HREF=3D"http://support.microsoft.com/support/kb/articles/q245/0/21.ASP" =
TARGET=3D"_blank">http://support.microsoft.com/support/kb/articles/q245/=
0/21.ASP</A></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> "Q249949 =
OFF2000: Policy to Hide Drives Ignored in Office Programs "</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> <A =
HREF=3D"http://support.microsoft.com/support/kb/articles/Q249/9/49.ASP" =
TARGET=3D"_blank">http://support.microsoft.com/support/kb/articles/Q249/=
9/49.ASP</A></FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier =
New">-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-=
x-x-x-x-</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Scott Talkovic [satalkov@uci.edu] went =
on a longer discussion:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> Users can usually get to =
the drives using other methods too...for instance,</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> within applications such =
as FTP, or, if available, by clicking on Start/Run</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> and typing in the drive =
letter. I also wouldn't be surprised if someone</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> could also call a batch =
file that would bring up the "hidden" drives or</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> perhaps, if they can get =
to a shortcut's properties, use the browse button</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> on the properties sheet =
(under Change Icon) to browse the drive. They might</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> also be able to use Find =
to find files on a hidden drive if they manually</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> type in the drive letter =
to search. If it finds something, then they could</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> probably use the =
"Open Containing Folder" option in the Find tool to =
get</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> access to the drive. I =
would verify these possibilities for you, but I don't</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> have enough time right =
now. I do know for a fact that we can use FTP to</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> browse the hidden drives =
on these workstations. I've done that before. As</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> you can see, it's probably =
impossible to totally "hide" drives from users...</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> Because of this, we always =
use NTFS and/or share permissions to protect</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> files on the drives. We =
also only map those drives that are needed at the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> workstations.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">I set up a "Hide Drivers" =
policy where ALL drivers, except one network drive, would be blocked. I =
then tested Windows Explorer and indeed only the network driver was =
visible. But when I started a MsDOS session (cmd.exe), I was put in my =
system's default path for DOS (C:\WinNT\Profiles\<user>\DeskTop), =
which should have been blocked (but look at the KB Q249949 above). Hum =
anyway.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">I then launched Find Files, and I was =
able to see all my drivers if I explicitly selected then. Hum.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Jos Fotinos [sw_fotinos@hotmail.com] =
also pointed out that:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> (...)</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> But opening =
documents inside word</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> entering c:\ as an adress =
inside the explorer deliviers simular results.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Thmas Seck =
[thomas.seck@stadt-bornheim.de] also offered another way,</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> there is a much easier way =
to circumvent this policy.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> Use Filemanager =
(winfile.exe).</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">16-bit app, leftover from =
Win3... cool.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> Only Explorer and =
Explorer-based file dialogs care about these registry keys.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">And finally Sean Alderman =
[SAlderman@FREITRATER.COM] said:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">> I use similar restrictions =
on Windows 9X policies. You may also notice that</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> any 16bit File Open API =
will allow you to see all local and mapped drives.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> (...)</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> I would suggest checking =
the other File Open dialogs in apps like Office and</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> maybe some 32bit non MS =
apps. The 16bit dialog does not allow you to</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> perform edit ops like the =
32bit dialog does. I have not noticed any issues</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> with this in my Office 97 =
installations.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">> (...)</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">This seems to be quite broken. =
</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">As far as I can understand, only =
the casual user will ever be blocked here. I also wonder if there is =
any chance of the "Hide Drivers" policy ever working. It is =
probable that the best (and, perhaps, the only) way of blocking access =
to different drivers is by using NTFS and acls. </FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Maybe the Office 2000 SR1 will =
succeed in block it at the Office (application) level, but this is only =
a minor point here. If I cannot open a document with Office (on a =
restricted system), I can still ftp it over somewhere else and open it =
(on a non-blocked system).</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">One might also say this is what =
happens when security is implemented at the application (user) level, =
instead of at the kernel level...</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Regards,</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">..Calado..</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF95B3.B48B09DE--
