* Lars Roland <lars.roland@xxxxxxx> [01/01/70 - 01:00]:
> >The ethereal windows installer could probably be offer an option to
> >enable the starting of NPF at system startup. This would completely
> >solve privilege separation for Windows and avoid the overhead of
> >attempting to do these things in a separate process and pass all data to
> >a display process.
> >
> I've checked in a change to the installer. The option to start the NPF
> at system startup is disabled by default. Should it be enabled by default?
This looks like a bad idea, from a security point of view.
The NPF driver does not set permissions on devices it creates (this is a
well-known specificity of Winpcap, documented in item #7 of Winpcap's
FAQ, see http://winpcap.polito.it/misc/faq.htm#Q-7).
That means that once the NPF driver is loaded, any local user can sniff
the network because any user can open devices created by the NPF driver.
With currently default settings, an administrator knows that he has to
manually stop the driver after using it for capturing data from the
network, using the "net stop npf" command.
It is even recommended to run ethereal as a non-privileged user on
Windows, using runas to manually start the NPF driver before starting
ethereal:
runas /u:administrator "net start npf"
So, modifying the startup mode of the NPF driver is probably not a good
idea.
Jean-Baptiste Marchand
--
Jean-Baptiste.Marchand@xxxxxx
HSC - http://www.hsc.fr/
