Need some help with Windows security

[gismo]

I'm trying to set up a laptop for someone else to use in the field and I need to secure some of the files to be used so that the person I give the laptop to can't easily copy or alter some of the files. I realize that they could take the drive out and access things at will on a different computer but I'm hoping they aren't that knowledgeable.

I have one file containing the sensitive data along with a script (batch file) that loads the file into an embedded CPU and then secures the CPU.

I want the limited user to be able to run this script but I don't want them to be able to copy the sensitive file or modify the script so that it doesn't secure the CPU. I also don't want them to be able to copy the script and use that to create their own script that skips the secure CPU step.

I have created a separate user with limited rights but I can't figure out how to make it so that user can run the script without also giving them the ability to copy the contents of the sensitive file.

Running this script is the only thing the user needs to be able to do and if possible I'd like to make it so they can't do anything but run my script.

The laptop is running Windows XP (pro).

 

[RJM62]

That's a bit out of my league (at least on Windows).

Does MS-SQL provide the ability to encrypt a database? If so, maybe storing the data as an encrypted database and giving the user limited privileges would work?

Just a random idea. Like I said, this is a bit above my skill level.

-Rich

 

[bluesky74656]

That's an interesting problem. The problem is that the script is going to run under your limited user's account, therefore the limited user needs access to the sensitive file.

The solution that came to me is to not give the user access to the file at all. Write a Windows service that could run as a user with access to the file but no log on permissions. That service would listen for a signal from the limited user, copy the data to the CPU, then secure it.

In a Linux environment you could accomplish this by severely locking down the Sudo command for this user.

 

[John221us]

If he can read the file, he can copy the file. If you had win 7 or better and a domain, you would have more options. Win 7 pro has AppLocker and a domain gives you group policy management. Even still, any quasi savvy user could copy a file that they have read rights to. You would have to take away access to pretty much any app that let's you browse files.

 

[John221us]

That's a bit out of my league (at least on Windows).

Does MS-SQL provide the ability to encrypt a database? If so, maybe storing the data as an encrypted database and giving the user limited privileges would work?

Just a random idea. Like I said, this is a bit above my skill level.

-Rich

I agree, managing the data using more secure storage than a text file on a Windows file system is the way to go.

 

[JimNtexas]

You do know that Windows XP becomes unsupported on April 8, 2013? You really need to migrate to Windows 7.

Just off the top of my head, perhaps one could save these sensitive files in a Truecrypt or Bitlocker file and write a windows service that could run the script. By encrypting the file you reduce the damage done if your laptop is stolen.

I don't think in either Windows or Linux can you easily do what you want just by fuzting with user permissions.

 

[bluesky74656]

I don't think in either Windows or Linux can you easily do what you want just by fuzting with user permissions.

I'm pretty sure you could in Linux. Don't give the user any access at all to the file, or even the folder the file is stored in. Give another user access to it. Then configure sudo so that the limited user can sudo run only the setup script as the second user. Deny access to ls, cat, anything except that one script.

Hmm... actually I guess it would have to be a compiled executable instead of script. A script would be calling cat or cp or something similar, which would mean sudo would have to allow those. If you compile it into an executable you can avoid that.

But it can be done. I think.

 

[Reklats]

I agree with some of the other posters on looking to move to Windows 7

You may want to investigate using a scheduled task. It's been awhile since I've set one up in Windows XP so I don't remember all of the options. I'll describe what I'd do for a win7/8 machine and you can give it a try on XP.

Since you said you are OK for now with the limitation that if the user pulls the HD out they can access the file, this first part should only secure the files from your limited user account assuming they boot into Windows. (I would be concerned about a user using a Live CD to boot past the OS, unless you have locked the BIOS down to prevent booting from anything but the HD.)

1. Login as your admin account
2. Copy files (secure script and secure file), to the documents folder under the admin account. Your limited user will not have access to them there (assuming they have booted into windows)
3. Create a scheduled task that runs as the Local System user which executes your secure script. Do not setup a trigger or schedule, just create the task.
4. Create a batch file that executes the scheduled task and place in the desktop folder for "all users".

When the limited user logs in, they should be able to double click on the batch file that's on the desktop, which kicks off the scheduled task. The scheduled task, running as local system, has access to the files, but not your limited user does not.

Now if you want to get fancy, you could try to make sure the files are encrypted at rest. Of course the key has to still be stored on the computer somewhere, but at least it would prevent the user from using a Linux/Windows "live cd" to boot past the OS or pulling the HD and easily coping the files.

On Windows 7 you could try using the encrypted file system and running the scheduled task as a user that has access to it. Or you could encrypt the files using a 3rd party program like TrueCrypt and research what options they have for storing the key securely. Using a public/private key (certificate) stored in the computer store might be an option for a TrueCrypt key, or a symmetric key used to encrypt the files yourself using a custom solution (i.e. powershell or simple c# console app that encrypts contents into memory).

With Windows 7 (I forget which sku) and a motherboard with TPM, you could enable bit locker, storing the key in the TPM module. This would prevent someone from using the HD without the laptop. Then use something like EFS, TrueCrypt or a custom solution to protect the data when booted in windows. Defense in depth.

Without more information, it will be up to you to decide how much effort you want to put into this. How valuable is your time, vs. the risk of someone executing one of the many attack vectors available.

 

[bluesky74656]

Yeah, do the above. I didn't remember that you could kick off another user's scheduled task like that. Simple, effective, does what you want.

 

[gismo]

Yeah, do the above. I didn't remember that you could kick off another user's scheduled task like that. Simple, effective, does what you want.

Sounds like this would indeed do what I was attempting.