Hi Carsten, On Friday 09 March 2012 17:09:07 Carsten Krüger wrote: > I tried the following (disabled kernel process hacker): > 1. run an instance of notepad as user Carsten (normal windows user, no > admin) 2. entered "testtesttest" > 3. run an instance of process hacker as user Carsten > 4. tried to write to memory -> worked, closed process hacker > 5. run an instance of process hacker as admin and stripped permissions for > user Carsten completly, closed process hacker > 6. run an instance of process hacker as user Carsten > 7. tried to write to memory -> failed as you expected > 8. add full permissions to process for user Carsten -> works !!!!!!!
This won't work with openvpn.exe started by the service. In your test the process object security descriptor was owned by the user. The owner of an object is always granted write access to the security descriptor of the object, thus you could change the permissions back to whatever you desired. The openvpn.exe process security descriptor will be owned by the user the service is run as, i.e. Local System. That's what I meant by "The service account will own the process object, so that the user cannot sneak his way in by modifying the DACL." Regards Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200 Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe Represented by the General Partner Astaro Verwaltungs GmbH Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
