Security Basics mailing list archives
RE: Unwanted programs on Win2K
From: "Tim V - DZ " <iceburn () dangerzone com>
Date: Wed, 5 Feb 2003 09:11:02 -0600
s- In my experience it's the 2nd one that usually gets you. If you write and app that is for the most part self sustaining, when you create an 'installer' there is no requirement that the installer asks for a administrator password. If you have access to write and execute to any directory on the local drive you can install at least some software. For the most part all an installer does is copy or un-archive and copy files from one location to another. In the windows world this has been morfed and discombobulated into editing the registry, using a windows installer, going through an "application installation server," informing active directory of available apps, etc. Anyway, this is a security list right? So what does is take to 'install' and run a program like fport.exe? It's a command line single executable, but it requires admin privileges to run. Then there are kiddie friendly toold like the Angry IP Scanner and Blues Port Scanner that are single gui executables that can be copied to run from any _any_ directory that you have write/exec permissions on...like the 3.5 inch floppy drive, or have you seen these thumb drives or diskonkey...no drivers needed, just a usb port - blam a whole 64MB hard disk with full access! The best way to prevent what you're talking about is to remove the floppy and cd-rom drives and lock down the file systems so there is no write / exec access to directories on the C drive - which is basically unreasonable and painful to find everything you need permissions to in order to run windows. Common ground is typically lock down the local disk - especially sysdir, root dir, and docs and settings. Then give read/write to c:\temp\ optionally don't allow subdirectories to be created. Through group policy give appropriate permissions to the CD-Rom and other things like 'mountability' of NTFS media etc. Definitely don't allow the floppy drive or CD to boot before local disk in bios. A simple linux boot disk will render all this ineffective. Another 'neat thing to do' is never give the 'everyone' group access to anything - always use the 'authenticated users' group...anyway, I've started strolling off point.... -t ====================================== Who lotta Linux on a bootable floppy: http://trinux.sourceforge.net/why.html Fport and others: http://www.foundstone.com/knowledge/intrusion_detection.html Blues Port Scanner: http://www.webattack.com/get/bluescan.shtml Angry IP Scanner: http://www.angryziber.com/ipscan/ -----Original Message----- From: Simon Taplin [mailto:simont () lantic net] Sent: Tuesday, February 04, 2003 2:27 PM To: Security-Basics; ahaly () softhome net Subject: RE: Unwanted programs on Win2K Hello Ahaly As an admin working in a uni enviroment, I have seen this before. It depends on what the admins have set up. Some accounts may be Part of the Power Users group which gives them rights to install for that user only. Your's might be part of the more restricted Users group. Also, some progs let you install, and then reboot the machine, and when you log back in, ask for the Administrator account to finish the install but if you press cancel, still work. NExt reason is that some apps might not need Administrator access to install. Last possible reason, - your fellow students have gotten hold of an Administrator password. Simon Quote of the day: Systems Administration is the kind of job that nobody notices if you're doing it well. People only take notice of their systems when they're not working. -----Original Message----- From: ahaly () softhome net [mailto:ahaly () softhome net] Sent: 02 February 2003 01:38 To: security-basics () securityfocus com Subject: Unwanted programs on Win2K Hey, This question is not from an admin but a end-user. I am doing my studies in a big university and we have many Win2K machines in our labs and library. Sometimes I find applications like Yahoo and MSN Messenger installed on these machines. I have also sometimes seen things like Kazaa. Technically these are not supposed to be there. As in only the apps that are installed by admins are supposed to be there and the above mentioned apps are not part of the admin list of apps. When I try to install an application, I get an error saying that I don't have privileges. I know I don't have privileges but there is someone out there who has found a way to bypass the restrictions. Question: How can someone bypass restrictions in Win2k to install software when he doesn't have proper privileges? Reason for asking question: If someone can install Kazaa, someone can also install a keyreader or something like that. Maybe I am paranoid, but everytime I login, maybe I am telling someone - hey, this is my passwrd. Ahaly --- This email has been scanned by AVG Anti-Virus Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 2003/01/27
Current thread:
- Unwanted programs on Win2K ahaly (Feb 03)
- RE: Unwanted programs on Win2K Simon Taplin (Feb 05)
- RE: Unwanted programs on Win2K Tim V - DZ (Feb 05)
- <Possible follow-ups>
- re: Unwanted programs on Win2K H C (Feb 04)
- re: Unwanted programs on Win2K Jeremy Gaddis (Feb 06)
- RE: Unwanted programs on Win2K Gedi (Feb 04)
- Re: Unwanted programs on Win2K Kamran Muzaffer (Feb 05)
- Re: Unwanted programs on Win2K Pez Mohr (Feb 05)
- RE: Unwanted programs on Win2K dave (Feb 06)
- Re: Unwanted programs on Win2K Kamran Muzaffer (Feb 05)
- RE: Unwanted programs on Win2K Simon Taplin (Feb 05)
- RE: Unwanted programs on Win2K Harris Samuel W PORT (Feb 04)
- Re: Unwanted programs on Win2K Meritt James (Feb 05)
- RE: Unwanted programs on Win2K Chris Berry (Feb 04)
- RE: Unwanted programs on Win2K Mike Heitz (Feb 05)