« Previous 1 2 3 Next »
Security boundaries in Windows
Cordoned Off
User Separation
A user cannot access or manipulate the code or data of other users. Both files on the filesystem and processes at runtime are included in this security limit. For access by administrators, this limit can also be formally implemented in the filesystem. However, this restriction is not effective. Of course, administrators can, in the absence of an administrator kernel limit, change the access rights of other users' files at any time.
If a Windows user session is running for an authorized user, this account and the processes started in this session cannot access or manipulate other user sessions, particularly to remote desktop sessions, so that, for example, mounted network drives or forwarded printers are not accessible in these sessions.
The browser environment also has restrictions. A website not authorized by the user is bound by the same-origin policy and is not allowed to access or manipulate the code or data of the browser sandbox. However, from Microsoft's point of view, this security limit is only defined for Microsoft Edge and does not include the outdated Internet Explorer or web browsers by other manufacturers.
Virtual Machines
A Hyper-V server guest system, as well as the lightweight Hyper-V containers introduced in Windows Server 2016 (which can be managed with Docker), cannot access the code, data, or settings of another Hyper-V virtual guest without authorization. The Virtual Secure Mode (VSM) introduced in Windows 10 is also based on Hyper-V technology. A microkernel is started and isolates the Local Security Authority Subsystem Service (LSASS) in particular but also hardware such as the Trusted Platform Module (TPM) for apps started in the VSM. This security boundary specifies that code or data within the enclave cannot be accessed from outside the isolation (a so-called enclave).
Components Without Limits
For some Windows components, Microsoft explicitly clarifies that they are not to be considered a security boundary, even if the function suggests other properties. The list only includes those components that are often misinterpreted as a boundary, so it is not complete; it includes, for example, the administrator kernel boundary.
As mentioned before, the administrator or a process started with administrator rights has no restrictions in accessing data structures or kernel code. Microsoft also lists Windows Server containers, which, unlike the "secure" Hyper-V containers, do not isolate with sufficient reliability.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)