Can someone explain this to me 915
On Wed, 23 Feb 2005 14:11:16 +0000 (UTC), Rob S. Wolfram
No, it can't be disabled.
Can someone explain this to me 916
That's a function of the design of the environment. IMO it is a totally misdesigned environment; furthermore if such an environment is *really* necessary, then the administrators are security-conscious enough...
That also means making everything else inetc immutable, or at least anything that might execute a program and allow someone to insert something else into the startup sequence. That also means you have to make all the applications referenced during startup immutable as well It also means things like drivers and kernel modules and pretty much anything that might get executed in kernel space has to be as well.
Now, if everything inetc is immutable, that means you can't make any configuration changes without rebooting to a single user mode or similar. So you have to take down your server any time you wish to make even the slightest change.
flatFISHism an obsessive compulsive disorder 918
On Sun, 20 Feb 2005 10:31:10 -0800, Daeron Daeron is a bi-polar nutcase who refuses to take his medication. Let's talk...
Are you starting to see my point about different ways to circumvent? There will likely alwasy be something you didn't think about. If it can be turned off, it can be worked around.
Sure there is. How about running a kernel debugger, finding the bits in memory and flipping them? There's lots of ways to solve the problem from a determined hacker's point of view.
CAPSYSMODULE won't prevent you from, for example, trojaning an existing module that will get loaded before you drop CAPSYSMODULE.
But yes, Windows has the concept of priviledges, which are similare to Posix capabilities. One of the priviledges is "Load and unload device drivers". There are privs for debugging and a lot of other things. They're defined by local and domain security policy.