Security Basics mailing list archives
Re[2]: Messenger service abuse (from inside the network)
From: Alexander Lukyanenko <sashman () ua fm>
Date: Fri, 5 Dec 2003 21:39:47 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Mr. Tony J. Camp The box IS secured, no CD-ROM drives are present, floppy drives are disabled from the BIOS (which is password-protected), the HDD is the only device mentioned in the bootup sequence. The physical modification is not possible (the users dare not to do anything to the hardware). The /boot partition (errm, no /boot on Windows, I mean the C: drive where the ntldr lives) is NTFS and is correctly ACL'ed. Friday, December 5, 2003, 3:23:02 PM, you wrote: CMTJ> For this to be effective, the box will need to be physically secured as CMTJ> well. Disable CD booting in the BIOS, password protect the BIOS, and put a CMTJ> padlock on the case (to prevent BIOS reset by jumper). Otherwise they could CMTJ> just boot to a certain cd, blank the local admin password, and reset the ACL CMTJ> on the net command. CMTJ> -----Original Message----- CMTJ> From: Shawn Jackson [mailto:sjackson () horizonusa com] CMTJ> Sent: Wednesday, December 03, 2003 7:48 PM CMTJ> To: Alexander Lukyanenko; security-basics () securityfocus com CMTJ> Subject: RE: Messenger service abuse (from inside the network) CMTJ> One account for all those students...*wimper*. You just angered the CMTJ> Audit gods! I assume they are using the net command for it: CMTJ> net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U CMTJ> Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make sure CMTJ> you got everything locked down on the system (gpedit.msc). Also make sure CMTJ> they aren't installing any software for messenger spamming. CMTJ> Shawn Jackson CMTJ> Systems Administrator CMTJ> Horizon USA CMTJ> 1190 Trademark Dr #107 CMTJ> Reno NV 89521 CMTJ> www.horizonusa.com CMTJ> Email: sjackson () horizonusa com CMTJ> Phone: (775) 858-2338 CMTJ> (800) 325-1199 x338 CMTJ> -----Original Message----- CMTJ> From: Alexander Lukyanenko [mailto:sashman () ua fm] CMTJ> Sent: Wednesday, December 03, 2003 11:58 AM CMTJ> To: security-basics () securityfocus com CMTJ> Subject: Messenger service abuse (from inside the network) CMTJ> -----BEGIN PGP SIGNED MESSAGE----- CMTJ> Hash: SHA1 CMTJ> Hello list. CMTJ> I administer a high school network running W2K Pro in an Active Directory CMTJ> domain. CMTJ> The problem is that the users abuse the Messenger service by sending some CMTJ> mischief over the network (furthermore, they even write batch files that CMTJ> repeatedly flood the domain with same text). Is there a way to prevent this, CMTJ> except by changing net.exe's ACL on all machines (or beating the offenders CMTJ> after classes :)? Stopping Messenger service on the workstations is not a CMTJ> solution, as it is used for sending various administrative messages. All CMTJ> students share a common AD account (it would be cumbersome to maintain 300+ CMTJ> user accounts, as most of them use the PCs for short periods only). CMTJ> Best regards CMTJ> * * * * * * * * * * * * * * * CMTJ> * Alexander V. Lukyanenko * CMTJ> * ma1lt0: sashman ua fm * CMTJ> * ICQ# : 86195208 * CMTJ> * Phone : +380 44 458 07 23 * CMTJ> * OpenPGP key ID: 75EC057C * CMTJ> * NIC : SASH4-UANIC * CMTJ> * * * * * * * * * * * * * * * CMTJ> -----BEGIN PGP SIGNATURE----- CMTJ> Version: GnuPG v1.2.3 (MingW32) CMTJ> iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR CMTJ> kUWN82Zu6d+xu0bMpfQ2GlM= CMTJ> =cpq+ CMTJ> -----END PGP SIGNATURE----- CMTJ> ------------------------------------------------------------------------ CMTJ> --- CMTJ> ------------------------------------------------------------------------ CMTJ> ---- CMTJ> --------------------------------------------------------------------------- CMTJ> ---------------------------------------------------------------------------- CMTJ> --------------------------------------------------------------------------- CMTJ> ---------------------------------------------------------------------------- * * * * * * * * * * * * * * * * Alexander V. Lukyanenko * * ma1lt0: sashman ua fm * * ICQ# : 86195208 * * Phone : +380 44 458 07 23 * * OpenPGP key ID: 75EC057C * * NIC : SASH4-UANIC * * * * * * * * * * * * * * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/0N8Jlz+8e3XsBXwRAk0DAJ4+EhxfVFz7MgTkmCm1gKiZanAflgCcDvr/ txJbAjFc7YeZtS9AN5FOfgM= =nn1R -----END PGP SIGNATURE-----
Current thread:
- RE: Messenger service abuse (from inside the network), (continued)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 04)
- RE: Messenger service abuse (from inside the network) Zachary Mutrux (Dec 05)
- RE: Messenger service abuse (from inside the network) Mark Harris (Dec 09)
- RE: Messenger service abuse (from inside the network) Rod Trent (Dec 09)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- RE: Messenger service abuse (from inside the network) Hunt, Jim (Dec 04)
- RE: Re[2]: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- Re[4]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Nero, Nick (Dec 04)
- RE: Messenger service abuse (from inside the network) Camp, Mr Tony J. (Dec 05)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 05)
- RE: Messenger service abuse (from inside the network) Day, David (Dec 08)