Guten Tag Thorsten Schöning, am Freitag, 30. April 2021 um 12:23 schrieben Sie:
> In practice it's not that easy because of HARDENING: Whenever my user > is a member of the group ADMINISTRATORS, VMs start successfully using > task scheduler, while they don't as normal user. Though, when creating > a cmd.exe interactively as my normal user and executing the above > command line manually, the VMs start successfully as well. I've decided to file a bug[1] about this problem and here is what I think is going on: The signature verification used by HARDENING relies on some COM-component and default security settings of those only allow SYSTEM, ADMINISTRATORS and INTERACTIVE to activate those. I have documented that in the related ticket #20340[2] already. When using task scheduler with my restricted user it's no member of any of these groups, therefore necessary components are not activated and signatures can't be checked. This changes instantly when using the same command line etc. with the same user with an interactive shell. While that could be argued as a limitation of Windows default settings, the problem in my opinion in this case is that HARDENING is requiring that signature verification, not Windows, while without it things would simply work. So to make HARDENING succeed in this case, I would need to make my restricted user being a member of ADMINISTRATORS, which obviously doesn't make too much sense from a security perspective: Providing far more permissions than absolutely necessary to make an additional security(!) check succeed first. :-) Like discussed in #20340[2], this might be worked around by creating an additional group and providing necessary permissions on the COM component of interest to that group. The problem is that I couldn't find the exact component yet... :-/ https://stackoverflow.com/questions/67331016/why-does-cryptcatadminenumcatalogfromhash-return-error-not-found-1062-for-n https://docs.microsoft.com/en-us/answers/questions/378892/why-does-34cryptcatadminenumcatalogfromhash34-retu.html Another workaround would be to make HARDENING optionally being disabled, it harms in this case, or at least make it more tolerant and ignore some of those errors under some circumstances. As said, the mentioned DLLs are all Windows default DLLs, unchanged, which otherwise easily pass signature verification. This is especially worth to be considered because the error about concrete "NetSetupShim.dll" seems to only occur if the VM uses bridged networking, with e.g. NAT that DLL doesn't seem to be used at all and doesn't occur in the logs of HARDENING. That made the VM start in my tests, even though the root cause of not being able to verify some DLLs was still the same. So even though the VM started, a lot of HARDENING errors about failed verification have still been logged but seemed to be ignored or no actual code was triggered of those DLLs or whatever. Of course one can't configure the VM to work around limitations of HARDENING, it's more likely to use ADMIN-users instead, which makes this whole security check a bit pointless. :-) [1]: https://www.virtualbox.org/ticket/20341 [2]: https://www.virtualbox.org/ticket/20340 Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH i.G. Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web: http://www.AM-SoFT.de/ Tel: 05151- 9468- 0 Tel: 05151- 9468-55 Fax: 05151- 9468-88 Mobil: 0178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB neu - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung. Mit freundlichen Grüßen Thorsten Schöning Tel: 05151 9468 0 Fax: 05151 9468 88 Mobil: Webseite: https://www.am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK AM-Soft IT-Service - Bitstore Hameln GmbH i.G. Brandenburger Str. 7c 31789 Hameln Tel: 05151 9468 0 Bitstore IT-Consulting GmbH Zentrale - Berlin Lichtenberg Frankfurter Allee 285 10317 Berlin Tel: 030 453 087 80 CBS IT-Service - Bitstore Kaulsdorf UG Tel: 030 453 087 880 1 Büro Dallgow-Döberitz Tel: 03322 507 020 Büro Kloster Lehnin Tel: 033207 566 530 PCE IT-Service - Bitstore Darmstadt UG Darmstadt Tel: 06151 392 973 0 Büro Neuruppin Tel: 033932 606 090 ACI EDV Systemhaus - Bitstore Dresden GmbH Dresden Tel: 0351 254 410 Das Systemhaus - Bitstore Magdeburg GmbH Magdeburg Tel: 0391 636 651 0 Allerdata.IT - Bitstore Wittenberg GmbH Wittenberg Tel: 03491 876 735 7 Büro Liebenwalde Tel: 033054 810 00 HSA - das Büro - Bitstore Altenburg UG Altenburg Tel: 0344 784 390 97 Bitstore IT – Consulting GmbH NL Piesteritz Piesteritz Tel: 03491 644 868 6 Solltec IT-Services - Bitstore Braunschweig UG Braunschweig Tel: 0531 206 068 0 MF Computer Service - Bitstore Gütersloh GmbH Gütersloh Tel: 05245 920 809 3 Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln Geschäftsführer Janine Galonska _______________________________________________ vbox-dev mailing list vbox-dev@virtualbox.org https://www.virtualbox.org/mailman/listinfo/vbox-dev
