Debug privileges
-
How common or uncommon is it that most employees have debug privileges for their Windows accounts? I am a programmer and I know that many programmers use API functions that require debug privileges. I have tried to ask security programmers if it is common or uncommon for typical users to have debug privileges but they are not clear in their answers. I am not a security specialist but as best as I understand Windows security it is possible to grant debug privileges to specific executables. Is management reluctant to do that or is it an acceptable compromise?
-
How common or uncommon is it that most employees have debug privileges for their Windows accounts? I am a programmer and I know that many programmers use API functions that require debug privileges. I have tried to ask security programmers if it is common or uncommon for typical users to have debug privileges but they are not clear in their answers. I am not a security specialist but as best as I understand Windows security it is possible to grant debug privileges to specific executables. Is management reluctant to do that or is it an acceptable compromise?
IIUC you only need the debug priv to debug processes started by another user. You can always debug processes that are running under your account. Giving a non-admin the debug priv is a security hole because that person could inject code into a system-level process and make it do something like run the Users control panel, and from there the person could add their account to the admins group.
Last modified: 18hrs 12mins after originally posted --
--Mike-- Visual C++ MVP :cool: LINKS~! Ericahist | PimpFish | CP SearchBar v3.0 | C++ Forum FAQ Ford, what's this fish doing in my ear?
-
IIUC you only need the debug priv to debug processes started by another user. You can always debug processes that are running under your account. Giving a non-admin the debug priv is a security hole because that person could inject code into a system-level process and make it do something like run the Users control panel, and from there the person could add their account to the admins group.
Last modified: 18hrs 12mins after originally posted --
--Mike-- Visual C++ MVP :cool: LINKS~! Ericahist | PimpFish | CP SearchBar v3.0 | C++ Forum FAQ Ford, what's this fish doing in my ear?
Are you sure? The ReadProcessMemory function states explicitly that the handle it uses must have PROCESS_VM_READ access. I don't know if PROCESS_VM_READ access is the same as Debug privileges or if PROCESS_VM_READ access requires Debug privileges but probably one of them is true since I have said in programming forums and such that the ReadProcessMemory function requires debug privileges and no one has said it is not true. If it is true that any process that an account creates can use debugging functions on all other processes that the account creates then that is a security problem, since most users are not developers. If a non-developer executes a program that can access other processes then developers of the software would have access to data they should not have access to. -- modified at 3:03 Saturday 10th March, 2007
-
Are you sure? The ReadProcessMemory function states explicitly that the handle it uses must have PROCESS_VM_READ access. I don't know if PROCESS_VM_READ access is the same as Debug privileges or if PROCESS_VM_READ access requires Debug privileges but probably one of them is true since I have said in programming forums and such that the ReadProcessMemory function requires debug privileges and no one has said it is not true. If it is true that any process that an account creates can use debugging functions on all other processes that the account creates then that is a security problem, since most users are not developers. If a non-developer executes a program that can access other processes then developers of the software would have access to data they should not have access to. -- modified at 3:03 Saturday 10th March, 2007
You have complete permissions (Full Control) to any process you create. You can inspect a process's access control list using Process Explorer[^]. Go to the process Properties, Security tab and click Permissions. If you then go to the Advanced editor (click Advanced) and Edit, you'll see all the permissions detailed, including Read Memory. You only need the Debug privilege to debug processes that you didn't create (and therefore don't have permission in the process's access control list).
Stability. What an interesting concept. -- Chris Maunder