Re: NT configuration caution

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 07:34 PM 4/20/98 -0400, George wrote:
> Hi Folks,
>
> I don't know exactly how common this is, and it certainly isn't a bug, but
> I've seen it enough that I think this post is justified.
>
> Configuration: NT4, IIS, Frontpage Extensions, Resource Kit.
>
> For a while now NT admins have had it easy because unlike UNIX, NT does not
> allow folks to get remote command line access for most of the types of
> connections it supports.
>
> It seems a lot of system administrators like to install the reskit and
> along with it use the rcmdsvc for remote control of their servers. rcmd
> allows one to get a remote command line much like telnet does with Unix.
>
> The problem comes in with the FrontPage extensions on NT (or any FTPD that
> requires users be entered into the NT user database). Each user who has a
> FP enabled website gets an account in the NT user database and this account
> gets the "logon locally" permission. What this in effect does is give
> everyone with a FP enabled website, access to the machine via rcmd as well
> as FP. Worse yet when they connect it dumps them right into the
> \winnt\system32 directory. From there they can TYPE files or EDLIN or any
> of the numerous tricks that the Unix admins have had to deal with for
> years. Depending on the configuration of the machine, many times it also
> gives them exec permissions for lots of programs and combined with the FP
> capability to download any program they want to the machine could make for
> a very dangerous combination. (how hard would it be to list the
> frontpage.ini file for example, a quick DIR FRONTP*.* /s and then a simple
> TYPE \path\FRONTPAGE.INI | more)
>
> The solution to this configuration error is to stop the rcmd service on the
> server and when you need access use the netsvc command to start it. Since
> only the admin has the permissions to stop and start services I think this
> should pretty much cure the problem. However I'd really like to hear from
> anyone who has ideas on this one.

Rcmd shouldn't be used in the first place - a better alternative exists.
In the server resource kit, update 1, there is a "Remote Console".  Remote
Console has several advantages - for one thing, it properly handles apps
which manipulate screen memory - rcmd just redirects stdin and stdout.
Perhaps the most important aspect is that it does properly impersonate the
logged in user - and those users are controlled by a special group which
remote console installs.  Also, it works from the "right to log on as a
batch file", not the "right to log on locally".  All in all, a much better
solution.  Further, IIRC, some versions of rcmd don't end up impersonating
the user, so all commands run as LocalSystem (much, much worse).

Even so, the file system permissions definately need some tightening -
anything under c:\program files has full access to everyone.  Also, IIS
seems not to change any of the existing file permissions, just taking
whatever is inherited from the directory you installed into.

Worrying about people typing files out isn't your problem - most of NT's
sensitive info won't be in text files.  Where the problem comes in is where
someone actually has permissions to change files - installing trojans into
c:\program files would be child's play.


David LeBlanc           |Why would you want to have your desktop user,
dleblanc () mindspring com |your mere mortals, messing around with a 32-bit
                        |minicomputer-class computing environment?
                        |Scott McNealy