Home Library Learn Samples Downloads Support Community Forums
Microsoft Developer Network >
Attack Surface Analyzer test fails because of system principals

Answered Attack Surface Analyzer test fails because of system principals

  • Tuesday, October 02, 2012 8:08 AM
     
     
    Sign In to Vote
    0

    Hi all,

    I have tested my installer with WACK and the test fails because of changes on ACL lists. My software doesn´t perform any change on ACLs but it writes some data an Dlls in \Users\Public\Documents\<mySoftware>. Interactive and Batch principals has permissions on \Users\Public and "get access" to these files (by inheritance I supose) and Attack Surface Analyzer thinks that something unsecure has happened. If during installation you change documents destination folder, test succeeds.

    Could this be considered as an incorrect behaviour of Attack Surface Analyzer? Does exist a way to avoid this?

    • Moved by Rob CaplanMicrosoft Employee Thursday, October 04, 2012 10:33 PM (From:Tools for Windows Store apps )
    • Moved by Bob_BaoMVP Monday, October 08, 2012 7:02 AM (From:Application Compatibility for Windows Desktop Development)
    •  
     

All Replies

  • Monday, October 08, 2012 7:02 AM
     
     
    Sign In to Vote
    0

    Hi Alex,

    Sorry to move again. But based on the download and readme description, we could consult the ASA tool at SDL Microsoft Security Development Lifecycle (SDL) forum.

    Sincerely,

    Bob Bao [MSFT]
    MSDN Community Support | Feedback to us

     
  • Monday, October 08, 2012 11:10 PM
     
     
    Sign In to Vote
    0

    Alex,

    You landed in the correct forum (thanks Rob & Bob). ASA team has been notified.

    Jed

     
  • Tuesday, October 09, 2012 7:06 AM
     
     
    Sign In to Vote
    0

    Ok, perfect. Thanks Rob and Bob, next time I will do better :)

     
  • Thursday, October 11, 2012 7:42 PM
     
     Answered
    Sign In to Vote
    0

    Alex,

    Placing DLLs or executables in public folders like \users\public raises a warning. Consider using %Program Files%. Also, I recommend taking a look at the following MSDN links:

    http://msdn.microsoft.com/en-us/library/windows/apps/Hh920281.aspx

    http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh750314.aspx#asa_1

    Jimmie

     
  • Friday, October 12, 2012 7:44 AM
     
     
    Sign In to Vote
    0

    Hi,

    our users can create Dlls using our software and Visual Basic Editor, these Dlls are used to perform important tasks asociated to our software. VBA files and Dlls are placed in user documents folder. In “per-machine” installations, machine users share these Dlls so they are placed in \Users\Public\Documents. For our clients is important to shared these data between machine users. During installation we provided some samples (VBA files and Dlls) that are also placed in \Users\Public\Documents.

    When we try to pass WACK all is OK for per-user installation but fails for per-machine installation due to changes on ACLs performed by Interactive and Batch system principals that are out of our control, we write this files to \Users\Public\Documents and the SO itself change ACLs.

    Of course we could design another solution for sharing but we think that we don´t have a security fault, and that WACK could be passed.

    Thank you and best regards,

    Alex

     
© 2013 Microsoft. All rights reserved.