Security Basics mailing list archives
RE: Messenger service abuse (from inside the network)
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 5 Dec 2003 12:16:11 -0800
Fish, Barrel, Shotgun. Good call, this ties well into physical security of your boxes. Personally I thought more school districts were running Novel, they have great tools for locking down the systems, data wise. Some no nonsense (commonsense?) rules are: 1.) Disable booting to any device but the system dive 2.) Lock the case/computer down (physically) 3.) Disable all non used ports, (USB, Firewire, etc) those little USB drives are getting pretty large. Sometimes I place a piece of metal in front of them behind the faceplate in the case, works well. Make sure you backup (restore) admin account has a password, or someone can F8 into the restore console and wreak havoc. Also make sure the local system account has a password, the vast majority of OEM vendors don't place one on the system, then when companies get the boxes they add it to the domain but don't rename/disable/pass change the local admin account. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Camp, Mr Tony J. [mailto:camptj () centcom mil] Sent: Friday, December 05, 2003 5:23 AM To: Alexander Lukyanenko; security-basics () securityfocus com Subject: RE: Messenger service abuse (from inside the network) For this to be effective, the box will need to be physically secured as well. Disable CD booting in the BIOS, password protect the BIOS, and put a padlock on the case (to prevent BIOS reset by jumper). Otherwise they could just boot to a certain cd, blank the local admin password, and reset the ACL on the net command. -----Original Message----- From: Shawn Jackson [mailto:sjackson () horizonusa com] Sent: Wednesday, December 03, 2003 7:48 PM To: Alexander Lukyanenko; security-basics () securityfocus com Subject: RE: Messenger service abuse (from inside the network) One account for all those students...*wimper*. You just angered the Audit gods! I assume they are using the net command for it: net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make sure you got everything locked down on the system (gpedit.msc). Also make sure they aren't installing any software for messenger spamming. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Alexander Lukyanenko [mailto:sashman () ua fm] Sent: Wednesday, December 03, 2003 11:58 AM To: security-basics () securityfocus com Subject: Messenger service abuse (from inside the network) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list. I administer a high school network running W2K Pro in an Active Directory domain. The problem is that the users abuse the Messenger service by sending some mischief over the network (furthermore, they even write batch files that repeatedly flood the domain with same text). Is there a way to prevent this, except by changing net.exe's ACL on all machines (or beating the offenders after classes :)? Stopping Messenger service on the workstations is not a solution, as it is used for sending various administrative messages. All students share a common AD account (it would be cumbersome to maintain 300+ user accounts, as most of them use the PCs for short periods only). Best regards * * * * * * * * * * * * * * * * Alexander V. Lukyanenko * * ma1lt0: sashman ua fm * * ICQ# : 86195208 * * Phone : +380 44 458 07 23 * * OpenPGP key ID: 75EC057C * * NIC : SASH4-UANIC * * * * * * * * * * * * * * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR kUWN82Zu6d+xu0bMpfQ2GlM= =cpq+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re[2]: Messenger service abuse (from inside the network), (continued)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 04)
- RE: Messenger service abuse (from inside the network) Zachary Mutrux (Dec 05)
- RE: Messenger service abuse (from inside the network) Mark Harris (Dec 09)
- RE: Messenger service abuse (from inside the network) Rod Trent (Dec 09)
- RE: Messenger service abuse (from inside the network) Hunt, Jim (Dec 04)
- RE: Re[2]: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- Re[4]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Nero, Nick (Dec 04)
- RE: Messenger service abuse (from inside the network) Camp, Mr Tony J. (Dec 05)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 05)
- RE: Messenger service abuse (from inside the network) Day, David (Dec 08)