Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden Windows System Probe named pipe #32354

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Harden Windows System Probe named pipe #32354

wants to merge 1 commit into from
+135 −9

Conversation

alexn-dd
Copy link
Contributor

@alexn-dd alexn-dd commented Dec 18, 2024
edited
Loading

What does this PR do?

This PR hardens the Windows system probe named pipe \\.\pipe\dd_system_probe to be restricted to:

  • Local System
  • Administrators
  • ddagentuser

Motivation

This enhances the security posture of system probe.
This prevents Information Disclosure and Denial attacks by unprivileged and unauthorized users/processes.

Describe how you validated your changes

CI
inv pipeline.run --here
Manually setup Active Directory environment and gSMA user, verified named pipe connections from agent with gSMA user to system probe.
Manually ran agent commands with agent and system probe as Windows services: status, check cpu, config, configcheck, diagnose, health, hostname, launch-gui, restart-service, stop-service, start-service, flare
Manually queried system probe with NamedPipeCmd.exe, running as Administrator.
Verified named pipe connection fails when a client tool (NamedPipeCmd.exe) is run as an unprivileged user.
Manually step through debugger to check on named pipe creation and named pipe client connections.

Possible Drawbacks / Trade-offs

Some customers may potentially use custom users or custom tools to access the system probe named pipe. These will potentially break and are officially not supported.

Additional Notes

No impact/changes to Linux and other platforms.
See https://docs.google.com/document/d/14itu-TqM_RlCLxnbxeD_h_MRuDYIvo6W/edit

@alexn-dd alexn-dd requested review from a team as code owners December 18, 2024 17:05
@alexn-dd alexn-dd requested a review from misteriaud December 18, 2024 17:05
@alexn-dd alexn-dd added the qa/done QA done before merge and regressions are covered by tests label Dec 18, 2024
@janine-c janine-c self-assigned this Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janine-c janine-c janine-c approved these changes

@misteriaud misteriaud Awaiting requested review from misteriaud misteriaud is a code owner automatically assigned from DataDog/agent-shared-components

At least 1 approving review is required to merge this pull request.

Assignees

@janine-c janine-c

Labels
component/system-probe medium review PR review might take time qa/done QA done before merge and regressions are covered by tests team/windows-kernel-integrations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexn-dd @janine-c