From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001 From: tumagonx Date: Tue, 8 Aug 2017 10:54:53 +0700 Subject: initial commit --- TODO | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 TODO (limited to 'TODO') diff --git a/TODO b/TODO new file mode 100644 index 0000000..c618004 --- /dev/null +++ b/TODO @@ -0,0 +1,122 @@ +TODO: + +append only files can be achieved by making sure that offsets passed to writefile are not less than the total size of the file + +disable all non-TCP/IP / netbios protocols by default (with an additional option to enable) +(connect to \Device\AFD disable non tcp/ip stuff) (\device\netbios) + +svchost.exe needs to be jailed by DLLs... each DLL will have its own policy + +policy_include: additional.policy + +add ability to deny logons to certain users + +add a "signature" rule.. LocalSystem execution of different processes (especially cmd.exe) should be logged and possibly denied? + +allow occasional rules to go through w/o logging? especially file & registry? + +investigate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE + + +disable execution of certain applications based on their version (i.e. vulnerable IE) (from okena) +add sniffer & non-ip protocol detection (from okena) +COM/ActiveX interception +support for application clauses (chapter 6) + +when creating an "exception" rule, MC can/should ask for whether the exception rule should be created on +the selected agent only, all agents of a certain type or all agents of all types + + +block debuggers + +non-GUI/system apps cannot use GUI calls? + + +in server paranoid mode, allow only c:\program files\*.exe and c:\windows\*.exe to execute? +trusted path execution (execution of binaries from non-trusted directories (i.e world-writable)) +(A trusted path is one that is inside is a root owned directory that is not group or world writable.) + +explorer option.. "Run process in a sandbox.." brings up a gui that asks whether to allow file, reg, network access? + +port to Itanium/AMD64 + +see if we can take over the job of a buffer overflow security exception handler +on win2k3 install custom BO exception handler that terminates a process + +need to be able to control access to all device drivers (is this already handled by intercepting createfile?) is there another way to obtain a handle to a kernel driver? +disable modem access, etc + +raw devices of all (mounted?) filesystems should be read-only + +copy in all unicode strings, check them and then pass the kernel copies to the kernel to avoid race conditions? + +disable our driver if loading using LastKnownGood configuration (notify MC?) + +restrict reboot capability and certain programs only to interactive sessions?! + +add ability to load what programs are allowed to run? (sha1 hashes, signed binaries) + +investigate kernel32!CreateHardLink + +dll_all: log will also log all section rules since RULE_DLL will be converted to RULE_SECTION + +protect crypto keys + +use ZwQueryProcessInfo ProcessVmCounters to keep track of amount of allocated process memory (execution time can be limited using job objects?! memory limit too?) +(or simply hijack malloc & free) + +device naming on terminal servers + +have a webpage which lists new vulnerabilities and whether our system would automatically protect against it + +deallocate allocated virtual memory that was used by AS randomization once the process is loaded and initialized (what about dynamically loaded DLLs)? + +create a policy check tool.. one of the things to lookout for is using "eq" and then specifying regex chars like * or ? in the filename + +interactive learning mode + +policy_ask user app should not run as an interative service but rather as a separate app running as a particular user + +IIS install should scan the registry for any known virtual roots and automatically add them to the policy.. same for other apps + +make sure that file-system protection cannot be subverted by accessing files by other means (\\127.0.0.1\share\file) + +per-group policy, per-user global policy + + +network connect should be able to specify ports and not just ip addresses +address eq "127.0.0.1:443" then permit +address eq "0:443" then deny +address eq "\\UNCpath\blah" then log +address eq "www.porn.com:80" then deny + + +new product idea: Solaris BSM-like auditing (http://www.securityfocus.com/infocus/1362) for Windows +(compare to what audit logs native Windows Group/Security Policies can already generate) +posix 1003e + + +layers: + +desktop +web server (iis, apache, netscape) +database server (oracle, MS SQL / access, Sybase, DB2, Informix, Interbase, MySQL) +terminal server +mail server +VPN server / remote access server + +dns server +dhcp server +wins server +streaming media server +domain controller +file and print server +(application server – websphere, BEA websphere) +(collaboration server – IBM Lotus Domino) + + +client policies: + email (outlook, outlook express, eudora, netscape) + browsers (IE, netscape, opera) + IM (aol, yahoo!, msn, icq) + others (ms office, napster) -- cgit v1.3