Jump to content











Photo
- - - - -

Force limited user rights using minlogon ?

minlogon winlogon.exe

  • Please log in to reply
3 replies to this topic

#1 NT Five

NT Five
  • Members
  • 4 posts

Posted 09 December 2015 - 07:14 PM

Minlogon is great because of its small footprint and the fast logon.
From a security perspective it's not that great because you are running on the system account with admin rights.
It would be nice to find a mod/hack that allows to run as a normal user using minlogon.

Can anyone think about a way to do this ?



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 December 2015 - 07:37 PM

There are some hints here and there, as always not really detailed/finalized :

http://www.pcreview....-issues.528742/

http://www.pcreview....nlogon.2804600/

 

My guess is that one would need anyway a GINA of some kind (and thus Winlogon) :frusty:.

 

Most probably the best bet is still on the good guys at ReactOS, though AFAIK they are not even near something actually working (in the sense of being used on non-ReactOS).

The 0.4 RC has just been released, will see ...

 

:duff:

Wonko


  • NT Five likes this

#3 NT Five

NT Five
  • Members
  • 4 posts

Posted 23 December 2015 - 07:13 PM

Hi Wonko !

 

Thanks for the links.
Very interesting...

 

I was brainstorming about a single user hardened minimal NT 5 system.

Here's the quote from Microsoft that tickled my neurons and that made me look at minlogon;

 

[...] a locked down MinLogon system could be considered more secure than a locked-down WinLogon system because there is no "back door" such as an Administrator or Guest account to hack into.

 

source: https://msdn.microso...mbedded.5).aspx
 

I was thinking about finding a method to "hack" minlogon to force somehow to run it without administrator rights but maybe there are better ways to close the "back door" Microsoft mentionned.
 

Can you think about other ways to "rip out" the admin acount from a Windows XP system using regular winlogon and GINA ?
Maybe there is a way to "patch" the SAM registry hives or something like that ?

The idea is to set up a nice XP configuration with the appropriate software and system settings and then "cripple" it by destroying / mutulate the Administrator account in some way so evil hackers can't use it for their evil plans..

 

Do you know about anyone that managed to achieve something like that ?
 



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 December 2015 - 07:56 PM

Well, as I see it the essence of minlogon is not that of having only one account, but rather to have only the System account, or maybe even more properly, a "nameless" account with System/Admin privileges.
 
What you are after is a way to "harden" a multi-user system, an to have a multiuser system you do need Winlogon.
Of course Winlogon is a joke when it comes to security (if the hacker/attacker has physical access to the machine and the boot order can be modified) as demonstrated here:
http://reboot.pro/to...s-the-password/
and here (only a few PoCs):
http://reboot.pro/to...or-a-challenge/
 
My guess (but haven't really ever tested this) for your "base question" is that a possible way (still using Winlogon) could be that of stripping away the actual Administrator account, leaving only a "normal" one with (say) Power User or User privileges.
Doing this would maybe be possible doing some (smart) editing of the Registry offline (and possibly some smart work with ACL's if NTFS) still it would most probably become a nightmare to run in the real world (the system would need to be fully configured and "static" as most settings changes would not be anymore possible).
Just like they say in the (nice) article you cited:

But beware that once all the doors are locked, there is no back door for even the creator of the runtime image to enter.

 
JFYI, a "light" version of the above (that might give you some ideas) has been recently proposed here:
http://www.msfn.org/...curity-threats/
 
:duff:
Wonko




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users