tags:

views:

175

answers:

1
Q: 

Building a simple security sandbox on Windows 2008 by automatically creating & restricting user accounts?

I want to build a fairly simple security sandbox for an application hosting service - the main goals are thus:

  1. Applications running "in" the sandbox cannot install anything onto the system outside of the directory the executable is running in.
  2. Access to the system in general is denied (registry access, et al.).
  3. Access to the file system (even read-only) outside the directories specified is explicitly denied. It will be a .NET application running inside the sandbox, so I am uncertain as to whether this will incidentally deny the runtime & or core dependencies?

The plan I have presently is to build the sandbox in .NET using the System.DirectoryServices namespace by:

  • creating a new semi-permanent user account for each launched instance
  • deriving it from the guest class of users to deny wide access to the system
  • then specifically granting read & write access to a finite number of directories where the application should be running.

Can anyone see any particular flaws in this plan? And is user account security sufficient to satisfy the above requirements securely? We're using a piece of commercial software right now to handle this (which is more comprehensive in it's sandboxing); but it is insufficiently automatable for our business - hence the desire to build it into our core automation software.

A: 

This is not a real sandbox - if the user can run malware with guest permission on the server or change anything on the server - he might be able to take over the server eventually. I'm not talking about regular apps, but and app that is designed to break your "Sandbox".

if you want a good sandbox, I think you should either use vmware (or similar) (with no access to the host machine) or use a 3rd party like this one Sandboxie which was build and tested for enough time, and I hope enough security expert validate it for it's safety.

What is the main purpose of the sandbox you're creating ?

with vmware like solution - the process of the app runs in the context of the guest machine and no the host machine so it much more difficult to access the host this way.

using slick OS setups (like win 2k8 server core) you can have many guest os on a single win2k8 machine that hosts them...

Dani  2009-12-08 15:52:02
one comment - everything is breakable (vmware as well) this difference is only the amount of effort you need to spend on doing so.
Dani  2009-12-08 15:52:55
Well, while malware can run within the area it can access - it can't set it self up to restart after a server restart for instance. (No ability to write to registry or startup directories for example)I probably need someone who has a degree of expertise to tell me whether this is directly exploitable - or whether a security breach will require an additional exploit on the operating-system level.Sandboxie is actually what we are using right now - but it's not automatable in the least; which means we cant put it into our deployment scripts (hence requiring tedious manual work).
Adam Frisby  2009-12-10 10:19:09
The course to the exploit - get guest access --> then elevate to privileged user --> than hack the system. you can't assume that the guest will not be able to change registry - many examples in windows server's history for this kind of attack - in your case - you give the guest access, now all that the attacker needs is the elevation code/exe/script whatever... which exists somewhere I guess.
Dani  2009-12-10 17:42:32
** disclaimer ** - most attackers will find it hard to hack the newest OS (win2k8) which is fully and weekly patched, with simple 3rd party IDS, Good AntiVirus both updated on a daily basis.if your attackers profile is wannabe hackers, so are ok to go.if you protect a bank... I wouldn't do it.
Dani  2009-12-10 17:44:52
Right. Code elevation via an additional exploit is the larger concern - but yes, we do keep the systems all regularly patched.
Adam Frisby  2009-12-11 04:51:32
Patching, AV, and "New OS" is not a bullet-proof solution, there are plenty of exploits for even "New OSes" and even regular AV updates are not 100% secure. In addition simply being in a VM gives no solid protection against access to the host OS from a determined, or even semi determined attacker (read semi-determined as malware designed to exploit). Your layers of protection need to be based on your intended usage of the sandbox machines. No one security policy is going to work for all situations.
GrayWizardx  2009-12-15 02:25:50
@GrayWizardx - Read my first comment - Everything is breakable.
Dani  2009-12-15 06:09:29

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?