Wednesday, March 11, 2015

Securing Stickykeys and the Ease of Access Center

One way a system can be compromised if the attackers have physical access to the machines is to use the "StickyKeys vulnerability".  This isn't really a vulnerability, just an inherent weakness of having malicious users be able to change files on your disks.

The best way to prevent this is to prevent access to the disks.  Enable Bitlocker drive encryption.  If the user can't read the disk they can't replace the .exe's.  Fixed.

If you can't do this, you can at least prevent the executables from running.  To do this, create a software restriction policy that denies the following files.
  • %windir%\system32\Narrator.exe  (Narrator)
  • %windir%\system32\osk.exe  (On Screen Keyboard)
  • %windir%\system32\Magnify.exe (Magnifier file)
  • %windir%\system32\sethc.exe (StickyKeys and MouseKeys)
  • %windir%\system32\utilman.exe (Ease of Access Center)
Note:  Blocking utilman.exe, the last one, also disables the accessibility button on the login screen.

That is this guy:

Finally, you can also remove permissions to these files.  Know that any malicious user worth her salt with access to replace the files can trivially re-permission them as well.  The following backs up the permissions of the files with ICACLS, then takes ownership and sets Deny eXecute on all of the files.

REM Backup old permissions.
ICACLS %windir%\system32\Narrator.exe /save %windir%\system32\Narrator.exe.aclfile
ICACLS %windir%\system32\osk.exe /save %windir%\system32\osk.exe.aclfile
ICACLS %windir%\system32\Magnify.exe /save %windir%\system32\Magnify.exe.aclfile
ICACLS %windir%\system32\sethc.exe /save %windir%\system32\sethc.exe.aclfile
ICACLS %windir%\system32\utilman.exe /save %windir%\system32\utilman.exe.aclfile

REM Take ownership of the files.
TAKEOWN /F %windir%\system32\Narrator.exe /A
TAKEOWN /F %windir%\system32\osk.exe /A
TAKEOWN /F %windir%\system32\Magnify.exe /A
TAKEOWN /F %windir%\system32\sethc.exe /A
TAKEOWN /F %windir%\system32\utilman.exe /A

REM Deny execute permissions to the Everyone group.
ICACLS %windir%\system32\Narrator.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\osk.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\Magnify.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\sethc.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\utilman.exe /deny *S-1-1-0:(X)


No comments: