如何保护MSI不被修改 [英] How to protect MSI against modification
问题描述
我想保护MSI文件不被修改。使用ORCA或MSI API可以轻松完成。令人遗憾的是,任何人都可以修改/添加/删除具有管理员权限的Windows Installer自定义操作或属性。
I would like to protect the MSI file against modification. It could be easily done with ORCA or with MSI API. It is sad because anyone can modify/add/remove windows installer custom actions or properties who have admin rights.
有没有办法将MSI文件设置为某些读取权限,
Is there any way to set an MSI file to some read-only mode or somehow protect its content?
推荐答案
简短的回答是否,您不能阻止某人编辑.msi文件。您可以采取多种方法来最大程度地减少某人这样做的可能性,或者增加与任何编辑相关的难度的方法,但是您不能完全避免这种情况。
The short answer is no, you cannot prevent someone from editing a .msi file. There are various approaches you can take to minimize the likelihood of someone doing so, or approaches that increase the difficulties associated with any edit, but you cannot fully prevent it.
要要更好地回答这个问题,就必须完善您所提出的问题。 保护听起来像是一个安全问题,因此它至少有助于建立扶手椅威胁模型。例如,您可能想防止以下三件事:
To answer this better, one must refine the question you are asking. "Protect" sounds like a security sort of question, so it helps to establish at least an armchair threat model. For instance, here are three things you may be trying to prevent:
- 感兴趣的用户更改了安装到该用户系统的位
- 公司用户修改其系统管理员在用户计算机上安装的内容
- 恶意方更改并提供伪装成别人错误安装的应用程序
这三个中,第一个并不是真正的安全边界,因此您无能为力。这是需要管理员权限并且用户拥有权限的安装,或者是每用户安装,允许没有管理员权限的用户使用它。无论哪种情况,.msi对该系统的访问都不会超过对其进行更改的用户。
Of those three, the first isn't really a security boundary, so there's not much you can do. Either it's an install that requires administrative privileges and the user has them, or it's a per-user install that allows users without administrative privileges to use it. In either case, the .msi has no more access to the system than the user who altered it already had.
第二个跨越边界,但涉及到应该努力验证签名,并可能从源而不是从用户那里获取安装。第三个是明显的安全问题,不幸的是涉及到您无法可靠地期望自己在验证签名方面勤奋工作的人。
The second crosses a boundary, but involves someone who should be diligent about verifying signatures, and may likely acquire the installation from the source instead of the user. The third is a clear security concern, and unfortunately involves people you cannot reliably expect to be diligent about verifying signatures.
那么您该怎么办?
- 您可以签名.msi文件。如果文件已更改,则留下文件被更改的迹象。请注意,转换(.mst文件)可以更改 .msi在不更改文件本身的情况下会做什么?
- 您可以尝试向潜在用户教育接受UAC提示之前验证数字签名的重要性。这不会阻止试图破坏您的许可的人,但可以帮助某人避免安装恶意软件,而不是安装您的实际程序。
- 您可以将.msi包装在签名的.exe引导程序中。这使事情更难以访问。尝试使用常规工具将无法直接进行,而是需要更改方弄清楚如何提取.msi文件。尽管通常这并不难,但这至少是另一个障碍。
- 您可以尝试将签名验证插入.msi文件。就像您说的那样,除非进一步将它们与重要且难以复制的其他代码结合使用,否则通过进一步更改.msi文件可能很容易消除这些缺陷。当然,这只会使更改变得更加困难。但并非不可能。同样,您将必须考虑.mst情况,以及是否要支持管理安装和这些缓存中的安装。
- 您可以向应用程序本身添加相关签名或其他验证。如果.msi文件已更改,但未更改计算机上安装的文件,您的应用程序是否在乎?答案取决于您要严格保护的目标。
- 考虑其他打包或部署选项,无论是来自Microsoft(例如.appx / .msix)还是第三方。每个都有各自的优点和缺点,以及对我在这里讨论的每件事的敏感性。
- 在其他地方运行您的应用程序;例如,将您的应用程序重写为Web应用程序,以便不进行安装。显然,这仅适用于某些类型的应用程序,但是这个列表还在增长。
- You can sign the .msi file. This leaves indications that the file was altered, if it was. Note that transforms (.mst files) can alter what the .msi does without altering the file itself; however this also affects the representation of the signed status.
- You can try to educate your prospective users about the importance of verifying the digital signature before accepting a UAC prompt. This won't stop someone who's trying to subvert your licensing, but may help someone avoid installing malware instead of your actual program.
- You can wrap the .msi in a signed .exe bootstrap. This makes things harder to access; attempts to use the normal tooling won't work directly, and instead require the altering party to figure out how to extract the .msi file. While that's typically not very difficult, it's at least another hurdle.
- You can try to inject signature verifications into the .msi file. As you say, these are likely to be easy to defeat by further alterations to the .msi file, unless you can couple them with important and hard to duplicate other code. That, of course, merely makes it harder to alter; but not impossible. Again you'll have to consider the .mst case, and whether you want to support administrative installations and installations from those caches.
- You can add relevant signature or other verifications to the app itself. If the .msi file is altered, but it doesn't alter what is installed to the machine, does your app care? The answer depends on what exactly you're trying to protect against; for instance it won't help prevent tag-along malware.
- Consider other packaging or deployment options, whether from Microsoft (like .appx / .msix) or from third parties. Each comes with their own set of advantages and disadvantages, and their own level of susceptibility to each thing I've discussed here.
- Run your app somewhere else; for example, rewrite your app as a web application so that there is no installation. Obviously this can only work for certain kinds of applications, but that list continues to grow.
您不能做什么?
- 让所有用户都给予足够的关注
- 防止恶意用户创建假装为您的应用但只有恶意负载
- 防止计算机所有者在运行.msi之前或之后更改计算机
- 支持人们使用.msi文件而不仅仅是使用.msi文件的所有方式(管理安装,转换,重新打包,各种.msi特定的部署实用程序等)都是某些类软件的正常使用模式)
- Make all users pay enough attention
- Prevent a malicious party from creating an installer that pretends to be for your app but has only a malicious payload
- Prevent a machine's owner from altering the machine either before or after the .msi runs
- Support all of the ways people use .msi files without just using a .msi file (administrative installs, transforms, "repackaging", various .msi-specific deployment utilities, etc. are all normal use patterns for certain classes of software)
在本练习结束时,您必须确定这是否对您有利,还是可以接受。确保您了解为什么有人想要更改您的.msi文件,并且在专注于.msi文件本身之前,请考虑他们是否可以通过非.msi方式产生相同的效果。如果它特定于.msi且很麻烦,请研究其他安装技术。如果没有什么可以阻止您试图阻止的情况,也许您可以找到减少人们尝试它的动力的方法。
At the end of this exercise, you'll have to decide whether this is a deal breaker for you, or something you can accept. Make sure you understand why someone would want to alter your .msi file, and before focusing on the .msi file itself, consider whether they can have the same effect through non-.msi means. If it's specific to .msi and is a deal breaker, look into other installation technologies. If nothing can prevent the scenario you seek to prevent, perhaps you can find ways to reduce the incentive for people to attempt it.
这篇关于如何保护MSI不被修改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
