Bugtraq mailing list archives
Re: NT configuration caution
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 21 Apr 1998 09:38:58 -0400
At 07:34 PM 4/20/98 -0400, George wrote:
Hi Folks, I don't know exactly how common this is, and it certainly isn't a bug, but I've seen it enough that I think this post is justified. Configuration: NT4, IIS, Frontpage Extensions, Resource Kit. For a while now NT admins have had it easy because unlike UNIX, NT does not allow folks to get remote command line access for most of the types of connections it supports. It seems a lot of system administrators like to install the reskit and along with it use the rcmdsvc for remote control of their servers. rcmd allows one to get a remote command line much like telnet does with Unix. The problem comes in with the FrontPage extensions on NT (or any FTPD that requires users be entered into the NT user database). Each user who has a FP enabled website gets an account in the NT user database and this account gets the "logon locally" permission. What this in effect does is give everyone with a FP enabled website, access to the machine via rcmd as well as FP. Worse yet when they connect it dumps them right into the \winnt\system32 directory. From there they can TYPE files or EDLIN or any of the numerous tricks that the Unix admins have had to deal with for years. Depending on the configuration of the machine, many times it also gives them exec permissions for lots of programs and combined with the FP capability to download any program they want to the machine could make for a very dangerous combination. (how hard would it be to list the frontpage.ini file for example, a quick DIR FRONTP*.* /s and then a simple TYPE \path\FRONTPAGE.INI | more) The solution to this configuration error is to stop the rcmd service on the server and when you need access use the netsvc command to start it. Since only the admin has the permissions to stop and start services I think this should pretty much cure the problem. However I'd really like to hear from anyone who has ideas on this one.
Rcmd shouldn't be used in the first place - a better alternative exists. In the server resource kit, update 1, there is a "Remote Console". Remote Console has several advantages - for one thing, it properly handles apps which manipulate screen memory - rcmd just redirects stdin and stdout. Perhaps the most important aspect is that it does properly impersonate the logged in user - and those users are controlled by a special group which remote console installs. Also, it works from the "right to log on as a batch file", not the "right to log on locally". All in all, a much better solution. Further, IIRC, some versions of rcmd don't end up impersonating the user, so all commands run as LocalSystem (much, much worse). Even so, the file system permissions definately need some tightening - anything under c:\program files has full access to everyone. Also, IIS seems not to change any of the existing file permissions, just taking whatever is inherited from the directory you installed into. Worrying about people typing files out isn't your problem - most of NT's sensitive info won't be in text files. Where the problem comes in is where someone actually has permissions to change files - installing trojans into c:\program files would be child's play. David LeBlanc |Why would you want to have your desktop user, dleblanc () mindspring com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
Current thread:
- Re: NT configuration caution, (continued)
- Re: NT configuration caution seifried () SEIFRIED ORG (Apr 20)
- lastx.c v2.0 Ryan (Apr 19)
- Re: NT configuration caution David LeBlanc (Apr 21)
- Re: NT configuration caution Zacharopoulos Dimitris (Apr 21)
- New IE4 bug w/Active Desktop installed Brian Krahmer (Apr 21)
- Re: New IE4 bug w/Active Desktop installed Max Vision (Apr 21)
- Vulnerability in HP OpenMail David Jones (Apr 21)
- Re: Vulnerability in HP OpenMail Richi Jennings (Apr 23)
- smbmount problem? Chris Evans (Apr 21)
- Re: smbmount problem? Czako Krisztian (Apr 21)
- Re: NT configuration caution David LeBlanc (Apr 21)
- Re: NT configuration caution Tim Newsham (Apr 21)
- hole in Inet Explorer Cacaio Torquato (Nov 04)
- Re: NT configuration caution David LeBlanc (Apr 22)
- Linux possible problem? Kyle McLerren (Apr 22)
- Vulnerability in OpenBSD, FreeBSD-stable lprm. Niall Smart (Apr 22)
- Re: NT configuration caution seifried () SEIFRIED ORG (Apr 20)