Configure a "hardened" user account that an attacker would have a hard time abusing

RomanSt asked:

Suppose you have a Windows Server machine running various sensitive services. Suppose that one of these services is pretty simple, maintaining a small amount of information in a text file, but as a result of being badly coded, has an (unknown) arbitrary code execution vulnerability.

Is it possible to set up a user account for that service such that if a hacker were to exploit this vulnerability successfully, the most damage they could do is read/write this text file, mess up this specific service, and possibly list the files out of C:\Windows, but nothing else?

A naive attempt at doing this immediately runs into a problem: anyone in “Users” can write to C:\Program Files, and removing “Users” from that directory’s ACL results in a permission error, making me wonder if, perhaps, it is a very bad idea.

Or is the game already lost if the attacker can execute arbitrary code, regardless of which user account is used? I’ve always thought Windows NT descendants make it possible to contain this, but now that I’ve tried, I’m no longer so sure.

My answer:

In the Linux world, we would use SELinux or another mandatory access control mechanism to mitigate this sort of threat.

Windows doesn’t have anything quite so robust, but since Vista/2008 it does have a basic integrity mechanism which you might be able to use. (Though, this has a rather high learning curve and explaining it fully would require more length than is permitted here.)

I think your best short-term mitigation would be to isolate the service in a virtual machine.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.