BS². If the goal is to prevent killing a process, any malware running at
kernel level (say, a bogus driver), is free to do anything, any time, any
way it wants, and all the efforts in the world to “protect” the resource
will be rendered inoperative. So using ACLs is just a way to prevent the
ordinary, non-privileged user from screwing the process. An administrator
has the rights to kill a process because that is the role of
administrators: to fix things that are broken. If you “fix” it so the
admin cannot protect the system by removing a process, you only cause
inconvenience. The admin will boot in safe mode, which means that
start-after-boot processes will not start. The admin will then locate the
executable file, and delete it, then reboot the system. The
only-slightly-above-average 12-year-old can figure this out. So all
you’ve done is piss off the administrator, and get your process removed,
and lose all future sales. Plus lose sales to anyone he talks to, or who
reads his blog, etc.
Oh, note, I’ve had to do this. That’s why I know how to do it. It was a
poorly-written piece of malware on a client’s machine. It took me
practically zero time to figure out how to do it. Once I removed it, one
of the minions was sent around to fix each of the couple dozen machines
are the local network. And the product vendor was blacklisted (yes, it
was a product, which felt that to do its work, it had to hook system
calls. It interfered with proper operation of the system. That made it
malware).
joe
BS. From a driver, you can control what other drivers are loaded (see
also
win8 ELAM) and you should then be able to protect arbitrary resources from
even admin users. Yes this is creating a sort of after the fact security
barrier between kernel and user-mode admin, but its the security barrier
that the hardware is setup to enforce, so no reason it can’t be done. The
general design of windows makes this difficult to do of course in some of
the finer details, especially if you care about user-experience and
application compatibility, but there is no reason you need to abandon the
very thought. All that said, the original op should know better than to
ask
such a question here, especially given his corporate affiliation.
t.
On Wed, Sep 12, 2012 at 4:13 PM, wrote:
>
>> If you have processes that should not be killed by an user, start them
>> as
>> a LocalService account, and put appropriate ACL on the service.
>>
>> Remember, you cannot ptotect your system against an user with
>> Administrative privileges. Abandon the very thought of that.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer