10/14/2008
Token insecurity : and you thought that tokenbased security was full secure ?
Security is a situation that changes dramatically.
We were told that tokens would authentificate users and processes and that so security would be enhanced. Security is enhanced if you compare it with the situation before but it is still not secure an sich because it is too easy to circumvent or to impersonate. But maybe the most secure system is not possible and the risks on circumvention and impersonation have to be built into other processes and procedures and controls.
http://www.argeniss.com/research/TokenKidnapping.pdf
You should however take into account following recommendations
Windows XP and Windows 2003
– On IIS 6 don't run ASP .NET in full trust and if classic
ASP is enabled don't allow users to execute binaries
On Windows Vista and 2008
– On IIS 7 don't run ASP .NET in full trust or don't run
web sites under NetworkServer or LocalService
accounts
– Don't run services under NetworkService or
LocalService accounts
Use regular user accounts to run services
16:09 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment