1
00:00:01,270 --> 00:00:04,190
Before we go on to take a look at lower level boundaries.

2
00:00:04,360 --> 00:00:08,490
Let's see how the user session boundary has been implemented in Windows 7.

3
00:00:10,480 --> 00:00:17,180
We'll use this internal suite for this presentation since internals is a suite of tools developed by

4
00:00:17,180 --> 00:00:19,690
Mark Russinovich.

5
00:00:19,700 --> 00:00:24,860
The tools are probably well known to all administrators and to other Windows systems security practitioners

6
00:00:25,760 --> 00:00:27,980
will run a program called Process Explorer

7
00:00:31,800 --> 00:00:34,810
even though the program is contained in the Trusted directory.

8
00:00:35,100 --> 00:00:37,020
Note that I still have to agree to run it

9
00:00:40,440 --> 00:00:42,840
taking a look at the program's properties.

10
00:00:42,870 --> 00:00:46,820
It turns out that the file is external.

11
00:00:47,020 --> 00:00:49,760
It comes from another computer.

12
00:00:49,830 --> 00:00:56,800
It's still blocked even though it's currently stored in my computer this information has been saved.

13
00:00:58,730 --> 00:01:04,490
To disabled the open file security warning need to unblock the program by clicking on the button.

14
00:01:04,490 --> 00:01:06,010
See above.

15
00:01:06,010 --> 00:01:10,240
The question is Where does Windows Store this type of information.

16
00:01:12,350 --> 00:01:16,120
It's saved in an alternate file stream on an NTFS drive.

17
00:01:18,260 --> 00:01:21,440
Objects on NTFS drives can have multiple data streams

18
00:01:24,080 --> 00:01:27,010
alternate data streams are used exactly for this purpose.

19
00:01:28,060 --> 00:01:32,980
To store the origin of a file and allow a system to perceive it as a file that comes from an external

20
00:01:32,980 --> 00:01:33,760
site.

21
00:01:37,070 --> 00:01:44,300
Data streams may also be used to hide certain types of data coming back to our program.

22
00:01:44,680 --> 00:01:51,780
Well run with the administrator privileges.

23
00:01:51,990 --> 00:01:57,970
We'll later talk about the origin of the need to relaunch it and confirm the decision.

24
00:01:57,980 --> 00:02:01,170
Let's take a look at the processes that run under the current account.

25
00:02:01,400 --> 00:02:07,570
Our account the rows of these processes are by default highlighted in blue

26
00:02:12,480 --> 00:02:14,110
the operating systems shell.

27
00:02:14,110 --> 00:02:18,110
For example Windows Explorer is currently highlighted process

28
00:02:21,560 --> 00:02:24,110
various processes are launched within this shell.

29
00:02:25,380 --> 00:02:31,260
The bottom pane contains information on the selected Explorer process.

30
00:02:31,340 --> 00:02:36,410
You can view for example the activity of the process.

31
00:02:36,540 --> 00:02:40,200
In this case we can see the objects loaded by a given process.

32
00:02:42,770 --> 00:02:46,750
As you can see a session has been set up for us.

33
00:02:46,900 --> 00:02:48,290
Your identifier is one

34
00:02:52,690 --> 00:02:58,810
were probably the first users who logged into this environment by right clicking on a process running

35
00:02:58,810 --> 00:03:00,030
in our session.

36
00:03:00,100 --> 00:03:04,900
You can select Properties.

37
00:03:05,090 --> 00:03:06,890
Let's move to the Security tab.

38
00:03:09,680 --> 00:03:14,910
Everything is tagged in such a way that the objects opened by a process can only be accessed by us.

39
00:03:15,140 --> 00:03:21,380
The current user account a built in system account and a strange account with a visible seed

40
00:03:25,070 --> 00:03:31,910
one Desch five Desch five Desch zero seed indicates a logging identifier in a way.

41
00:03:31,910 --> 00:03:38,820
This is an additional identifier of the above user no other accounts can interfere or tamper with the

42
00:03:38,820 --> 00:03:42,660
operation of the process except for the operating system itself.

43
00:03:45,870 --> 00:03:49,840
We'll leave process explorer for a moment but will return to it later.

44
00:03:54,820 --> 00:03:58,180
Well run now a standard Windows tool Windows Task Manager

45
00:04:04,380 --> 00:04:08,550
wants all the user's processes are displayed and we sort them by user names.

46
00:04:09,520 --> 00:04:13,560
It turns out that we can view our processes and the processes of other users.

47
00:04:19,670 --> 00:04:26,460
This is possible because the program runs with Administrator permissions we have discovered first that

48
00:04:26,490 --> 00:04:28,880
session defines a security boundary.

49
00:04:30,870 --> 00:04:37,470
But here we can see that in an administrator account can cross this boundary.

50
00:04:37,620 --> 00:04:44,960
It's enough to right click on let's say I Explorer easy to be able to end it which is an obvious interference

51
00:04:44,960 --> 00:04:46,660
with the operation of the process

52
00:04:49,420 --> 00:04:53,660
the administrator crosses the boundary in an explicit and apparent manner.

53
00:04:56,440 --> 00:05:00,880
The last aspect of a user session boundary will cover is isolating session zero

54
00:05:03,760 --> 00:05:06,710
to do this we'll need a program called PSA exam.

55
00:05:13,970 --> 00:05:17,070
Let's start by launching the command line with the administrator permissions

56
00:05:20,300 --> 00:05:22,360
next to the CIS internals folder

57
00:05:35,820 --> 00:05:42,580
Yes exec is commonly used to launch processes on remote computers.

58
00:05:42,660 --> 00:05:49,580
It can allow us to gain access to a remote operating system and the command line of that system.

59
00:05:49,770 --> 00:05:54,930
One of the additional features offered by the tool enables running it in a different session after submitting

60
00:05:55,070 --> 00:06:00,440
sessions number this is enabled by the and size switch.

61
00:06:03,710 --> 00:06:05,580
Let's find out how it works.

62
00:06:07,190 --> 00:06:11,220
Let's run any program for example Kalki X-C in-session 0

63
00:06:18,540 --> 00:06:21,180
calculator is running but we don't see it on our screen

64
00:06:25,750 --> 00:06:28,040
the isolation of the session is working.

65
00:06:28,920 --> 00:06:35,520
There's a new warning in the taskbar a program running on our computers trying to display a message

66
00:06:35,550 --> 00:06:42,300
but we can't view it the window appeared because session zero isolation is a feature that can only be

67
00:06:42,300 --> 00:06:44,570
implemented beginning with Windows 7.

68
00:06:46,040 --> 00:06:52,940
It wasn't available in the previous versions all services were running before in the context of the

69
00:06:52,940 --> 00:06:55,130
session of a user who logged in first

70
00:06:59,050 --> 00:07:04,400
the session encompases also anti-virus scanners which are programs that run a system services

71
00:07:07,090 --> 00:07:12,240
any viruses interact with users display messages warnings etc..

72
00:07:14,560 --> 00:07:20,370
After the release of Windows 7 and the virus is shut down to allow them to work.

73
00:07:20,400 --> 00:07:28,470
Microsoft introduced the dialog box you can see above by clicking on view the message you switch in

74
00:07:28,470 --> 00:07:31,970
a way to a different desktop.

75
00:07:32,070 --> 00:07:39,590
You can see here the desktop of a user who launched session 0 or effectively the operating system.

76
00:07:39,740 --> 00:07:46,700
Let's quit the program and return to our own session because session zero doesn't show any new messages.

77
00:07:46,960 --> 00:07:49,130
The displayed window has also disappeared.