Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Trusted Installer

microsoft.public.windows.vista.installation setup






Speedup My PC
Reply
  #1 (permalink)  
Old 11-21-2007
MikeV06
 

Posts: n/a
Trusted Installer
I looked at Users & Groups and do not find a user or group named
TrustedInstaller. However, that user is listed as owner of the C:\ drive.
Do I need to add a user or something?

Thanks.

Mike
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-29-2007
Darrell Gorter[MSFT]
 

Posts: n/a
RE: Trusted Installer
Hello Mike,

This is part of the new ACLS to help improve security in Windows Vista

From this link below: I am posting a couple of paragraphs that talk about
Trusted Installer:

http://www.microsoft.com/technet/tec...L/default.aspx

Trusted Installer The Trusted Installer is actually a service, not a user,
even though you see permissions granted to it all over the file system.
Service hardening allows each service to be treated as a full-fledged
security principal that can be assigned permissions just like any other
user. For an overview of this feature, see the January 2007 issue of
TechNet Magazine. The book Windows Vista Security (Grimes and Johansson,
Wiley Press, 2007) explores service hardening in detail, including how it
is leveraged by other features, such as the firewall and IPsec.

Trusted Installer In Windows Vista, most of the OS files are owned by the
TrustedInstaller SID, and only that SID has full control over them. This is
part of the system integrity work that went into Windows Vista, and is
meant specifically to prevent a process that is running as an administrator
or Local System from automatically replacing the files. In order to delete
an operating system file, you thus need to take ownership of the file and
then add an ACE on it that lets you delete it. This provides a thin layer
of protection against a process that is running as LocalSystem and has a
System integrity label; a process that has lower integrity is not supposed
to be able to elevate itself to change ownership. Some services, for
instance, can run with medium integrity, even though they are running as
Local System. Such services cannot replace system files so an exploit that
takes over one of them canít replace operating system files, making it a
bit harder to install a rootkit or other malware on the system. It also
becomes more difficult for system administrators who are offended by the
mere presence of some system binary to remove that binary.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> From: MikeV06 <me@mycomputer06.invalid.com>
|> Subject: Trusted Installer
|> User-Agent: 40tude_Dialog/2.0.15.1
|> MIME-Version: 1.0
|> Content-Type: text/plain; charset="us-ascii"
|> Content-Transfer-Encoding: 7bit
|> Organization: None
|> Date: Wed, 21 Nov 2007 15:46:38 -0600
|> Message-ID: <3qswqoz2foke$.dlg@mycomputer06.invalid.com>
|> Archive: yes
|> Newsgroups: microsoft.public.windows.vista.installation_setup
|> NNTP-Posting-Host: r74-194-81-60.htspcmta01.hspvar.lr.dh.suddenlink.net
74.194.81.60
|> Lines: 1
|> Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP03.phx.gbl
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.installation_setup: 29474
|> X-Tomcat-NG: microsoft.public.windows.vista.installation_setup
|>
|> I looked at Users & Groups and do not find a user or group named
|> TrustedInstaller. However, that user is listed as owner of the C:\ drive.
|> Do I need to add a user or something?
|>
|> Thanks.
|>
|> Mike
|>

Reply With Quote
  #3 (permalink)  
Old 12-07-2007
MikeV06
 

Posts: n/a
Re: Trusted Installer
Thank you for your post. The comments and the link are very useful.

Happy holidays.

Mike

On Thu, 29 Nov 2007 04:57:45 GMT, "Darrell Gorter[MSFT]" wrote:

> Hello Mike,
>
> This is part of the new ACLS to help improve security in Windows Vista
>
> From this link below: I am posting a couple of paragraphs that talk about
> Trusted Installer:
>
> http://www.microsoft.com/technet/tec...L/default.aspx
>
> Trusted Installer The Trusted Installer is actually a service, not a user,
> even though you see permissions granted to it all over the file system.
> Service hardening allows each service to be treated as a full-fledged
> security principal that can be assigned permissions just like any other
> user. For an overview of this feature, see the January 2007 issue of
> TechNet Magazine. The book Windows Vista Security (Grimes and Johansson,
> Wiley Press, 2007) explores service hardening in detail, including how it
> is leveraged by other features, such as the firewall and IPsec.
>
> Trusted Installer In Windows Vista, most of the OS files are owned by the
> TrustedInstaller SID, and only that SID has full control over them. This is
> part of the system integrity work that went into Windows Vista, and is
> meant specifically to prevent a process that is running as an administrator
> or Local System from automatically replacing the files. In order to delete
> an operating system file, you thus need to take ownership of the file and
> then add an ACE on it that lets you delete it. This provides a thin layer
> of protection against a process that is running as LocalSystem and has a
> System integrity label; a process that has lower integrity is not supposed
> to be able to elevate itself to change ownership. Some services, for
> instance, can run with medium integrity, even though they are running as
> Local System. Such services cannot replace system files so an exploit that
> takes over one of them canít replace operating system files, making it a
> bit harder to install a rootkit or other malware on the system. It also
> becomes more difficult for system administrators who are offended by the
> mere presence of some system binary to remove that binary.
>
> Thanks,
> Darrell Gorter[MSFT]

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trusted Installer KWilson microsoft.public.windows.vista.security 4 01-17-2009 01:09
mailto not trusted even when click from trusted site with IE7 & Vi Eric microsoft.public.windows.vista.mail 11 06-03-2008 19:01
Trusted Installer WaltN microsoft.public.windows.vista.security 2 06-06-2007 00:29
Trusted Installer File Access Security on Vista ? Robert Robinson microsoft.public.windows.vista.general 2 06-03-2007 15:25
mailto not trusted even when click from trusted site with IE7 & Vi Eric microsoft.public.windows.vista.general 7 05-05-2007 18:27




All times are GMT +1. The time now is 22:20.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120