Windows pagefile security risks and how to avoid them

...."Although paging is a normal process performed by the Windows OS,
there are several reasons why a pagefile can be considered a security
risk. First, Windows does not automatically clear a pagefile when a
user logs out, which means there is a good chance that copies of the
user's files will still exist in the pagefile long after the user logs
off. Windows security prevents users from logging in and browsing the
pagefile, but there is nothing to stop a user from booting an
alternate OS and using that OS to circumvent Windows security and
browsing the pagefile."...

<http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1267258,00.html?track=sy201&asrc=RSS_RSS-23_201>
or
http://preview.tinyurl.com/2awro7

-- 
js
http://justheadlines.awardspace.com
0
john
8/9/2007 2:49:46 PM
grc.security 16608 articles. 3 followers. Follow

12 Replies
581 Views

Similar Articles

[PageSpeed] 52

john s. smith wrote:
> ..."Although paging is a normal process performed by the Windows OS,
> there are several reasons why a pagefile can be considered a security
> risk. First, Windows does not automatically clear a pagefile when a
> user logs out, which means there is a good chance that copies of the
> user's files will still exist in the pagefile long after the user logs
> off. Windows security prevents users from logging in and browsing the
> pagefile, but there is nothing to stop a user from booting an
> alternate OS and using that OS to circumvent Windows security and
> browsing the pagefile."...
> 
> <http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1267258,00.html?track=sy201&asrc=RSS_RSS-23_201>
> or
> http://preview.tinyurl.com/2awro7
> 
SafeXP can set Windows to clear the pagefile at shutdown, but whether it 
does that at logoff is another question.
0
F
8/9/2007 7:01:21 PM
john s. smith wrote:
> ..."Although paging is a normal process performed by the Windows OS,
> there are several reasons why a pagefile can be considered a security
> risk. First, Windows does not automatically clear a pagefile when a
> user logs out, which means there is a good chance that copies of the
> user's files will still exist in the pagefile long after the user logs
> off. Windows security prevents users from logging in and browsing the
> pagefile, but there is nothing to stop a user from booting an
> alternate OS and using that OS to circumvent Windows security and
> browsing the pagefile."...
>
> <http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1267258,00.html?track=sy201&asrc=RSS_RSS-23_201>
> or
> http://preview.tinyurl.com/2awro7


Loss of physical control of drive puts a lot more sensitive things at risk
than the pagefile.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management]
"ClearPageFileAtShutdown"=dword:00000000
"DisablePagingExecutive"=dword:00000001

Currently I do not do any business that requires me to clear the pagefile.
000000001 clears at shutdown.

Disable the paging exective caches the bare minimum without disabling
paging. Keeps Windows happy.

This key is in pagefile.reg that is part of an automated install.

-- 
Paul Nofs


0
Paul
8/9/2007 8:09:56 PM
If a malicious person has physical access to my computer, the pagefile is the
least of my worries.
-- 
Crash


0
Crash
8/9/2007 8:45:14 PM
In newsgroup grc.security, "Crash" Dummy wrote:

> If a malicious person has physical access to my computer, the pagefile is
> the least of my worries.

Agreed.  I tried clearing the pagefile at shutdown and it slows down the
shutdown procedure to a crawl.  Not usable because much too slow.  Might be
a different story for NSA, CIA, FBI, etc...

MP
0
Martin
8/9/2007 10:25:57 PM
On Thu, 09 Aug 2007 18:25:57 -0400, Martin P. said:

> In newsgroup grc.security, "Crash" Dummy wrote:
> 
>> If a malicious person has physical access to my computer, the pagefile is
>> the least of my worries.
> 
> Agreed.  I tried clearing the pagefile at shutdown and it slows down the
> shutdown procedure to a crawl.  Not usable because much too slow.  Might be
> a different story for NSA, CIA, FBI, etc...

A different story here, too. I have had my pagefile set to be cleared at
shutdown on my last three XP HE SP2 boxes, and see no noticeable delay
when that option is selected, or disabled. 

-- 
160160 
0
160160
8/10/2007 8:49:04 AM
In newsgroup grc.security, 160160 wrote:

> On Thu, 09 Aug 2007 18:25:57 -0400, Martin P. said:
> 
>> In newsgroup grc.security, "Crash" Dummy wrote:
>> 
>>> If a malicious person has physical access to my computer, the pagefile
>>> is the least of my worries.
>> 
>> Agreed.  I tried clearing the pagefile at shutdown and it slows down the
>> shutdown procedure to a crawl.  Not usable because much too slow.  Might
>> be a different story for NSA, CIA, FBI, etc...
> 
> A different story here, too. I have had my pagefile set to be cleared at
> shutdown on my last three XP HE SP2 boxes, and see no noticeable delay
> when that option is selected, or disabled.

Might depend on your pagefile size.  Mine is 1 GB, equivalent to my RAM.

MP 

0
Martin
8/10/2007 3:22:19 PM
On Fri, 10 Aug 2007 11:22:19 -0400, Martin P. said:

> Might depend on your pagefile size.  Mine is 1 GB, equivalent to my RAM.

2 GB here, matching RAM also. 

-- 
160160 
0
160160
8/10/2007 4:10:23 PM
In newsgroup grc.security, 160160 wrote:

> On Fri, 10 Aug 2007 11:22:19 -0400, Martin P. said:
> 
>> Might depend on your pagefile size.  Mine is 1 GB, equivalent to my RAM.
> 
> 2 GB here, matching RAM also.
> 

Win2K Pro here.  I guess you're on XP?  SATA or ATA?  I'm on an ATA-100
motherboard ATA-100 drives and FAT32. These factors could make a
difference.  Anyway, with my hardware and my O/S and filesystem, shutdown
really goes down to a crawl when the pagefile is cleared at the same time.

MP
0
Martin
8/10/2007 8:31:40 PM
On Fri, 10 Aug 2007 16:31:40 -0400, Martin P. said:

> In newsgroup grc.security, 160160 wrote:
> 
>> On Fri, 10 Aug 2007 11:22:19 -0400, Martin P. said:
>> 
>>> Might depend on your pagefile size.  Mine is 1 GB, equivalent to my RAM.
>> 
>> 2 GB here, matching RAM also.
>> 
> 
> Win2K Pro here.  I guess you're on XP?  SATA or ATA?  I'm on an ATA-100
> motherboard ATA-100 drives and FAT32. These factors could make a
> difference.  Anyway, with my hardware and my O/S and filesystem, shutdown
> really goes down to a crawl when the pagefile is cleared at the same time.

XP HE SP2, ATA 300GB Hard Disk, formatted NTFS. I suspect the main
difference is NTFS vs FAT32.

-- 
160160 
0
160160
8/10/2007 8:41:18 PM
In newsgroup grc.security, 160160 wrote:

> On Fri, 10 Aug 2007 16:31:40 -0400, Martin P. said:
> 
>> In newsgroup grc.security, 160160 wrote:
>> 
>>> On Fri, 10 Aug 2007 11:22:19 -0400, Martin P. said:
>>> 
>>>> Might depend on your pagefile size.��Mine�is�1�GB,�equivalent�to�my
>>>> RAM.
>>> 
>>> 2 GB here, matching RAM also.
>> 
>> Win2K Pro here.��I�guess�you're�on�XP?��SATA�or�ATA?��I'm�on�an�ATA-100
>> motherboard ATA-100 drives and FAT32.
> 
> XP HE SP2, ATA 300GB Hard Disk, formatted NTFS. I suspect the main
> difference is NTFS vs FAT32.
> 

Indeed.��FAT32�isn't�a�very�efficient�file�system.�I�remember�choosing�it
because back then, the Linux NTFS drivers were safe only as read only and I
wanted all around read write access between my boxes.

MP
0
Martin
8/10/2007 10:18:58 PM
"john s. smith" <reply_here@.> wrote in message
news:1aamb31ac43vsfe61cffbu7gu6kvvolmlq@4ax.com...
> ..."Although paging is a normal process performed by the Windows OS,
> there are several reasons why a pagefile can be considered a security
> risk. First, Windows does not automatically clear a pagefile when a
> user logs out, which means there is a good chance that copies of the
> user's files will still exist in the pagefile long after the user logs
> off. Windows security prevents users from logging in and browsing the
> pagefile, but there is nothing to stop a user from booting an
> alternate OS and using that OS to circumvent Windows security and
> browsing the pagefile."...
>
> <http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1267258,00.html?track=sy201&asrc=RSS_RSS-23_201>
> or
> http://preview.tinyurl.com/2awro7
>
> -- 
> js
> http://justheadlines.awardspace.com


Actually you can browse/edit the pagefile.sys or any file you want locally
with a hex tool such as WinHex by X-ways software. It can work around
Windows control over file ownership.

The pagefile's data is no more telling than your registry or from any other
Windows or Non-Windows program that might collect specific information to
disk.

If you have ample amounts of RAM you don't really need to run a pagefile to
disk but you might run into out of memory issues with certain programs that
consume and retain data not specifically buffered or dumped to a file.
Without a pagefile to disk it will still exist and function by Windows but
only in RAM until you reboot.





0
Samuel
8/20/2007 5:08:17 AM
Hello Samuel,

>> but there is nothing to stop a user from
>> booting an alternate OS and using that OS to circumvent Windows
>> security and browsing the pagefile."...
>>
>> http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1267258,00.html?track=sy201&asrc=RSS_RSS-23_201

> Actually you can browse/edit the pagefile.sys or any file you want
> locally with a hex tool such as WinHex by X-ways software. It can
> work around Windows control over file ownership.

Can you work around those controls if you are running with a limited 
"liability " account [LUA]?

Administrator allows access to all parts of the system including the 
privileged kernel operations which a LUA is not.

> The pagefile's data is no more telling than your registry or from any
> other Windows or Non-Windows program that might collect specific
> information to disk.

So the problem is fundamental. Losing physical control of an unencrypted 
drive or
giving software access to an administrator account (sometimes quietly 
through browser
scripting, email attachments or infected downloads) is a great way to put
sensitive data at risk as well as the system's loyalty to its owner.

[In Vista, MS will not let me fully play the owner part, so I won't play 
with V]
-- 
Paul Nofs



0
Paul
8/20/2007 4:08:51 PM
Reply:

Similar Artilces:

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Are Security Products a Security Risk?
"Approximately 800 vulnerabilities discovered in antivirus products" http://blogs.zdnet.com/security/?p=1445 My antivirus solution Kaspersky is one of them... Sigh... :( On Mon, 21 Jul 2008 18:05:21 +0800, Ryan Ernest S. Selda said: > "Approximately 800 vulnerabilities discovered in antivirus products" > > > http://blogs.zdnet.com/security/?p=1445 > > > My antivirus solution Kaspersky is one of them... Sigh... :( This has already appeared here, on 8th July, in a thread entitled "Approximately 800 vulnerabilities discove...

Windows Security Checklist
followup to grc.security.wireless Windows Security Checklist - Part 13: Windows Home Wireless Security http://castlecops.com/article-5757-nested-0-0.html ----------------------------------------------------------- Quote ----------------------------------------------------------- [...] Securing Your Home Wireless LAN You can do a lot to secure your wireless LAN (Local Area Network). Most of these tips apply to 802.11b based LANs, since these are the most popular. Some of these tips are just good network security practice and can help no matter how you build your LAN. Enabl...

Is security software becoming a security risk?
"Due to bugs in antivirus software, the security suite becomes a risk by itself, and adding multiple pieces of security software makes the problem worse, not better "... <http://www.infoworld.com/article/07/11/21/Is-security-software-becoming-a-security-risk_1.html> or http://preview.tinyurl.com/2nkk9r -- js http://justheadlines.exofire.net john s. smith wrote: > "Due to bugs in antivirus software, the security suite becomes a risk > by itself, and adding multiple pieces of security software makes the > problem worse, not better "... > ...

Trapping windows security warning window -"open file
Hello, I am using PB8 on windows xp machine.When i try to run, another PB application from the Main application, Security warning window (Open File - Security warning)being poped up, which has install and cancel options.My requirement is to make it accept in pb application through programing. Thanks, Sri ...

Security: Show Passwords MAJOR SECURITY RISK
Name: Mx Email: mklein01atgmaildotcom Product: Firefox Summary: Security: Show Passwords MAJOR SECURITY RISK Comments: The ability of anyone to view saved passwords is a major security risk. PASSWORDS should be ENCRYPTED WITH A USER SELECTED PASSWORD Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 From URL: http://hendrix.mozilla.org/ ...

Security Risks of using built-in security controls?
Hi,Our IT team have a policy whereby a database Server is not allowed on any of our web servers, for security reasons.  With the onset of the in-built security controls, the SQL server is automatically created and placed in the App_Data folder which resides on the web site.Could anybody point me to literature that would inform us whether having the SQL server on the web site will compromise the security of our web server, together with any ads or disadvantages of using this system.Also, if  SQL server is not allowed on the Web server, is it possible to use&...

Window Plug-in Secure vs Non Secure
Can someone explain to me in detail (more than what's available in the on-line books) the difference between the secure and non-secure versions of the Window plug-in ? We are in the process of developing a new application which makes use of the window plug-in. The question is can this application be a component of an already existing internet application ? ...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Windows Security vs. SQL Server Security: Procedure?
I'm so new to DNN that I'm installing it on a development server for the first time.  I'm following the procedures for installing DNN as set out in the book DotNetNuke ASP.NET Portals by Shaun Walker, et al.  The book indicates two security paths for setting up the database for SQL Server 2000:  1.  Windows Security and 2. SQL Server Security.  Although it recommends Windows Security, it then provides the steps for SQL Server Security, which it acknowledges as the less secure of the two options.  I understand why it proceeds down the SQL Server Security ins...

Web resources about - Windows pagefile security risks and how to avoid them - grc.security

Understanding the Windows Pagefile and Why You Shouldn't Disable It
As a tech writer, I regularly cringe at all the bad tweaking advice out there, and disabling the system pagefile is often a source of contention ...

Lena Groeger (@lenagroeger) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Windows XP editions - Wikipedia, the free encyclopedia
An access control scheme that allows specific permissions on files to be granted to specific users under normal circumstances. However, users ...

AfterDawn.com: Guides: Recently edited guides
Articles and guides about DivX, VideoCD, SVCD, DVD-R, MP3 and other digital multimedia topics

Vista DRM Issue Aftermath « Alex Ionescu’s Blog
I received word from Microsoft today on the status of the Vista DRM Issue that I talked about earlier. It seems that the final consensus from ...

Doc's Computin' Tips: Freeing up hard drive space
... Windows 7 left after doing its big 'Service Pack 3' update 2. Getting rid of the 2-gig 'Hibernation' file 3. Getting rid of the 4-gig 'pagefile' ...

Behind the Windows 7 memory usage scaremongering
According to a company collecting Windows performance statistics, Windows 7 …

Auslogics Disk Defrag Pro - The Best Defragmentation Software
Disk Defrag Pro is the professional edition of the best free disk defragmenter that defragments computer for ultimate speed. It's a powerful ...

Latest Updates
Latest Updates - Free source code and tutorials for Software developers and Architects.; Updated: 15 Feb 2013

Site Map
http:// www.computerfreetips.com Computer Tips (www.computerfreetips.com) Computer Tips (index.html) Computer Buying Help (maincomputerbuying.html) ...

Resources last updated: 11/28/2015 6:55:54 PM