[vbox-dev] HARDENING fails to verify DLLs depending on INTERACTIVE user vs. NOT

Thorsten Schöning tschoening at am-soft.de
Thu May 6 15:26:39 GMT 2021 

Guten Tag Thorsten Schöning,
am Freitag, 30. April 2021 um 12:23 schrieben Sie:

> In practice it's not that easy because of HARDENING: Whenever my user
> is a member of the group ADMINISTRATORS, VMs start successfully using
> task scheduler, while they don't as normal user. Though, when creating
> a cmd.exe interactively as my normal user and executing the above
> command line manually, the VMs start successfully as well.

I've decided to file a bug[1] about this problem and here is what I
think is going on: 

The signature verification used by HARDENING relies on some
COM-component and default security settings of those only allow
SYSTEM, ADMINISTRATORS and INTERACTIVE to activate those. I have
documented that in the related ticket #20340[2] already. When using
task scheduler with my restricted user it's no member of any of these
groups, therefore necessary components are not activated and
signatures can't be checked. This changes instantly when using the
same command line etc. with the same user with an interactive shell.

While that could be argued as a limitation of Windows default
settings, the problem in my opinion in this case is that HARDENING is
requiring that signature verification, not Windows, while without it
things would simply work. So to make HARDENING succeed in this case, I
would need to make my restricted user being a member of
ADMINISTRATORS, which obviously doesn't make too much sense from a
security perspective: Providing far more permissions than absolutely
necessary to make an additional security(!) check succeed first. :-)

Like discussed in #20340[2], this might be worked around by creating
an additional group and providing necessary permissions on the COM
component of interest to that group. The problem is that I couldn't
find the exact component yet... :-/

https://stackoverflow.com/questions/67331016/why-does-cryptcatadminenumcatalogfromhash-return-error-not-found-1062-for-n
https://docs.microsoft.com/en-us/answers/questions/378892/why-does-34cryptcatadminenumcatalogfromhash34-retu.html

Another workaround would be to make HARDENING optionally being
disabled, it harms in this case, or at least make it more tolerant and
ignore some of those errors under some circumstances. As said, the
mentioned DLLs are all Windows default DLLs, unchanged, which
otherwise easily pass signature verification.

This is especially worth to be considered because the error about
concrete "NetSetupShim.dll" seems to only occur if the VM uses bridged
networking, with e.g. NAT that DLL doesn't seem to be used at all and
doesn't occur in the logs of HARDENING. That made the VM start in my
tests, even though the root cause of not being able to verify some
DLLs was still the same. So even though the VM started, a lot of
HARDENING errors about failed verification have still been logged but
seemed to be ignored or no actual code was triggered of those DLLs or
whatever.        

Of course one can't configure the VM to work around limitations of
HARDENING, it's more likely to use ADMIN-users instead, which makes
this whole security check a bit pointless. :-)

[1]: https://www.virtualbox.org/ticket/20341
[2]: https://www.virtualbox.org/ticket/20340

Mit freundlichen Grüßen

Thorsten Schöning

-- 
AM-SoFT IT-Service - Bitstore Hameln GmbH i.G.
Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

E-Mail: Thorsten.Schoening at AM-SoFT.de
Web:    http://www.AM-SoFT.de/

Tel:   05151-  9468- 0
Tel:   05151-  9468-55
Fax:   05151-  9468-88
Mobil:  0178-8 9468-04

AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB neu - Geschäftsführer: Janine Galonska


Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung.

Mit freundlichen Grüßen

Thorsten Schöning


Tel: 05151 9468 0
Fax: 05151 9468 88
Mobil: 
Webseite: https://www.am-soft.de 

AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

AM-Soft IT-Service - Bitstore Hameln GmbH i.G.
Brandenburger Str. 7c
31789 Hameln
Tel: 05151 9468 0

Bitstore IT-Consulting GmbH
Zentrale - Berlin Lichtenberg
Frankfurter Allee 285
10317 Berlin
Tel: 030 453 087 80

CBS IT-Service - Bitstore Kaulsdorf UG
Tel: 030 453 087 880 1

Büro Dallgow-Döberitz
Tel: 03322 507 020

Büro Kloster Lehnin
Tel: 033207 566 530

PCE IT-Service - Bitstore Darmstadt UG
Darmstadt
Tel: 06151 392 973 0

Büro Neuruppin
Tel: 033932 606 090

ACI EDV Systemhaus - Bitstore Dresden GmbH
Dresden
Tel: 0351 254 410

Das Systemhaus - Bitstore Magdeburg GmbH
Magdeburg
Tel: 0391 636 651 0

Allerdata.IT - Bitstore Wittenberg GmbH
Wittenberg
Tel: 03491 876 735 7

Büro Liebenwalde
Tel: 033054 810 00

HSA - das Büro - Bitstore Altenburg UG
Altenburg
Tel: 0344 784 390 97

Bitstore IT – Consulting GmbH
NL Piesteritz 
Piesteritz
Tel: 03491 644 868 6

Solltec IT-Services - Bitstore Braunschweig UG
Braunschweig
Tel: 0531 206 068 0

MF Computer Service - Bitstore Gütersloh GmbH
Gütersloh
Tel: 05245 920 809 3

Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln
Geschäftsführer Janine Galonska

More information about the vbox-dev mailing list