RE: Unwanted programs on Win2K

["Tim V - DZ " <iceburn () dangerzone com>]

s-

In my experience it's the 2nd one that usually gets you.  If you write
and app that is for the most part self sustaining, when you create an
'installer' there is no requirement that the installer asks for a
administrator password. 

If you have access to write and execute to any directory on the local
drive you can install at least some software.  For the most part all an
installer does is copy or un-archive and copy files from one location to
another.  In the windows world this has been morfed and discombobulated
into editing the registry, using a windows installer, going through an
"application installation server," informing active directory of
available apps, etc.

Anyway, this is a security list right?  So what does is take to
'install' and run a program like fport.exe?  It's a command line single
executable, but it requires admin privileges to run.  Then there are
kiddie friendly toold like the Angry IP Scanner and Blues Port Scanner
that are single gui executables that can be copied to run from any _any_
directory that you have write/exec permissions on...like the 3.5 inch
floppy drive, or have you seen these thumb drives or diskonkey...no
drivers needed, just a usb port - blam a whole 64MB hard disk with full
access!

The best way to prevent what you're talking about is to remove the
floppy and cd-rom drives and lock down the file systems so there is no
write / exec access to directories on the C drive - which is basically
unreasonable and painful to find everything you need permissions to in
order to run windows.  

Common ground is typically lock down the local disk - especially sysdir,
root dir, and docs and settings.  Then give read/write to c:\temp\
optionally don't allow subdirectories to be created.  Through group
policy give appropriate permissions to the CD-Rom and other things like
'mountability' of NTFS media etc.  Definitely don't allow the floppy
drive or CD to boot before local disk in bios.  A simple linux boot disk
will render all this ineffective.  Another 'neat thing to do' is never
give the 'everyone' group access to anything - always use the
'authenticated users' group...anyway, I've started strolling off
point....

-t

======================================
Who lotta Linux on a bootable floppy:
http://trinux.sourceforge.net/why.html 

Fport and others:
http://www.foundstone.com/knowledge/intrusion_detection.html

Blues Port Scanner:
http://www.webattack.com/get/bluescan.shtml

Angry IP Scanner:
http://www.angryziber.com/ipscan/ 


-----Original Message-----
From: Simon Taplin [mailto:simont () lantic net] 
Sent: Tuesday, February 04, 2003 2:27 PM
To: Security-Basics; ahaly () softhome net
Subject: RE: Unwanted programs on Win2K

Hello Ahaly

As an admin working in a uni enviroment, I have seen this before.

It depends on what the admins have set up. Some accounts may be Part of
the
Power Users group which gives them rights to install for that user only.
Your's might be part of the more restricted Users group. Also, some
progs
let you install, and then reboot the machine, and when you log back in,
ask
for the Administrator account to finish the install but if you press
cancel,
still work.

NExt reason is that some apps might not need Administrator access to
install.

Last possible reason, - your fellow students have gotten hold of an
Administrator password.

Simon

Quote of the day:
Systems Administration is the kind of job that nobody notices if you're
doing it well. People only take notice of their systems when they're not
working.

-----Original Message-----
From: ahaly () softhome net [mailto:ahaly () softhome net]
Sent: 02 February 2003 01:38
To: security-basics () securityfocus com
Subject: Unwanted programs on Win2K




Hey,

This question is not from an admin but a end-user. I am doing my studies
in a big university and we have many Win2K machines in our labs and
library.

Sometimes I find applications like Yahoo and MSN Messenger installed on
these machines. I have also sometimes seen things like Kazaa.
Technically
these are not supposed to be there. As in only the apps that are
installed
by admins are supposed to be there and the above mentioned apps are not
part of the admin list of apps. When I try to install an application, I
get an error saying that I don't have privileges. I know I don't have
privileges but there is someone out there who has found a way to bypass
the restrictions.

Question: How can someone bypass restrictions in Win2k to install
software
when he doesn't have proper privileges?
Reason for asking question: If someone can install Kazaa, someone can
also
install a keyreader or something like that.
Maybe I am paranoid, but everytime I login, maybe I am telling someone -
hey, this is my passwrd.


Ahaly

---

This email has been scanned by AVG Anti-Virus
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 2003/01/27