[wpkg-users] Question about system account

Kevin Landers landersk at gmail.com
Thu Oct 16 22:08:29 CEST 2008


On Thu, Oct 16, 2008 at 1:46 PM, Brian Reese
<breese at boston-engineering.com>wrote:

>
> >Hi Brian,
>
> >Brian Reese wrote:
> >> First off I'd like to say that WPKG is pretty nice and helps us solve a
> bunch of issues. I've recently been trying to get more advanced with my
> configuration, and put it into production with all clients, instead of IT
> just using it to rebuild or reconfigure machines. I have a couple questions:
>
> >Nice to read. You might add a note to the Testimonials on
> <http://www.wpkg.org/> :-)
>
>
> >> With regards to the SYSTEM account, I'm not certain about how windows
> handles system account privileges, but it seems like to me that using the
> non-passworded  SYSTEM account could be a security breech. I was told it
> isn't and I assume you guys wouldn't set the default to something that would
> have issues, but if someone could enlighten me, I'd appreciate it :)
>
> >SYSTEM is actually an account which has even a higher privilege level
> than Administrator accounts have. Check the properties/security of the
> %SystemRoot% folder for example. However you cannot log in to a system
> using the SYSTEM account. It is mainly for services and background
> system processes.
>
> >If anybody is able to attack and take over the process context of an
> application which runs with SYSTEM privileges, then he actually owns the
> system with full control. But it's quite hard to do that usually. In
> general only system services are running with SYSTEM privileges. To run
> a service with SYSTEM privileges you do not have to enter a password.
> This is still no security breach since only administrators are allowed
> to modify/create services. In addition nobody knows the SYSTEM user
> password (does it have one?) and of course nobody can log in
> interactively using this account.
>
> >So it can become a security breach only in case somebody manages to
> attack a running WPKG service and manages to insert some code which is
> then executed with SYSTEM privileges (by buffer overflows or similar).
> This risk is quite low with WPKG as it allows to delay login (no user
> interaction possible before the service finishes) and it even allows to
> exit the service (no WPKG client process with SYSTEM privileges running
> any more) after the job has been finished. So no attack vector possible
> here.
>
> >However there is a possibility to break security using WPKG. If you do
> not properly set access rights to the WPKG software share (where XML
> files and installers are stored) then an attacker might insert his own
> packages and execute them on the workstations. As wpkg.js runs on the
> local workstation invoked by WPKG client it inherits SYSTEM privileges
> as well. Inserting a "dummy" package which is running an FTP server for
> example instead of an installer will allow an attacker to run that FTP
> server with SYSTEM privileges on client computers.
>
> >The same applies to any other software distribution system. If the
> attacker manages to insert custom packages to the software server they
> are executed with at least administrator privileges since this
> privileges are required to install software.
>
> >However usually (as recommended) you should read software packages and
> XML files only from a read-only share (use WPKG client user/password to
> connect using a read-only user). Use another user to update XML files
> and software packages. The password of the read/write update user should
> be kept secure. This prevents intruders to insert unwanted packages and
> the system is considered to be secure.
>
> >By the way: User names and passwords are stored in a secure locker
> within Windows by WPKG client, there is no easy way to get to this
> passwords.
>
>
> >So I hope that clarifies some things.
>
>
> >> Also, I read somewhere in this email group that one of the new versions
> allows WPKG to run upon shutdown instead of startup, is it version 1.3.5 and
> when will that be considered "stable". And are you guys planning to support
> the web interface? Which by the way looks nice but I haven't gotten into
> yet. Thanks for any help.
>
> >Yes, newest versions of WPKG client support this feature (however I've
> never used it yet). But I am using the latest 1.3 pre-release package
> since quite a while now without any problems (not using the on-shutdown,
> nor the logon delay feature).
>
> >Personally I've seen too many problems with the logon delay feature and
> I hate to keep users waiting by a "please wait" pre-logon screen. I am
> operating a (Samba-) domain and found that running WPKG at startup in
> parallel to the network logon is absolutely fine with me. Usually WPKG
> finishes before the user enters his password or at least before the
> roaming profile is fetched from the server and the desktop loads. So no
> conflicts with running applications. Some installers also support
> scheduling file-replacements of in-use files for next reboot, so even if
> the user manages to start an application which WPKG is trying to upgrade
> in the background the installation will succeed (latest effective after
> next reboot). In worst case the upgrade fails, then WPKG will know it
> failed and try on next reboot - no big deal, up to now every
> installation succeeded, even without logon delay.
>
> >Just for information: I am operating a site with Windows XP machines as
> well as my home site with 3 Vista-64 machines and an XP-32 box.
>
> br,
> Rainer
>
> Thanks so much Rainer, this information is exactly what I was looking for,
> I had some trouble finding consistent information via google. Looks like im
> going to move to SYSTEM and have my users access the share with the lowest
> possible privileged readonly account. Normally I don't submit testimonials
> but since you put the time into providing a detailed response I will happily
> comply and add mine to the list :) Once again, I appreciate the help.
>
> -Brian
> -------------------------------------------------------------------------
> wpkg-users mailing list archives >>
> http://lists.wpkg.org/pipermail/wpkg-users/
> _______________________________________________
> wpkg-users mailing list
> wpkg-users at lists.wpkg.org
> http://lists.wpkg.org/mailman/listinfo/wpkg-users
>

I must say there was a lot of great information there that I never knew.
Perhaps a suggestion to move this to the documentation wiki? Not certain how
open the wiki is to public editing. Thanks Rainer.

landersk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wpkg.org/pipermail/wpkg-users/attachments/20081016/e26546ed/attachment-0002.html>


More information about the wpkg-users mailing list