| |||||||||||
difficulty of detecting rootkitsdifficulty of detecting rootkitsPosted Oct 28, 2004 3:01 UTC (Thu) by bojan (subscriber, #14302)In reply to: difficulty of detecting rootkits by mbp Parent article: Steve Ballmer's "executive letter"
> * NT recovery will (by default) not access the disks unless it can read the SAM database and check the administrator password. (Surely one of the most idiotic features ever, given the person is physically on the console and could boot Linux to look at the disks anyhow.)
Yeah, there is that one. There is also the thing with LocalSystem having more privileges than Administrator. Basically, the system is designed to not trust the very person that is supposed to be in charge of it (eh?). And yet, to bypass that is trivial - just run a service as LocalSystem that leaves a shell open. Not to mention the fact that many services actually already run as LocalSystem, therefore being completely exposed anyway.
Then there is the explanation as to why the graphics drivers should run in the kernel. Here is the summary. In the old NT 3.51, if the graphical subsystem died (which ran in userland), although the kernel stayed up, there was no way to do anything with the system (one needs a GUI to do things on NT). So, the "logical" solution was to put the GUI into the kernel and gain some speed instead. Hello? How about making the system in a way that it can be used WITHOUT the GUI? But no, that would look too much like Unix :-)
And it goes on and on...
(Log in to post comments)
|
|||||||||||