Bugtraq mailing list archives
Re: NT configuration caution
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Wed, 22 Apr 1998 08:11:31 -0400
At 08:44 AM 4/21/98 -1000, Tim Newsham wrote:
The problem comes in with the FrontPage extensions on NT (or any FTPD that requires users be entered into the NT user database). Each user who has a FP enabled website gets an account in the NT user database and this account gets the "logon locally" permission. What this in effect does is give
Can users also connect to the registry with these accounts?
Typically not - a normal server has admin:F only on the HKLM/System/ CurrentControlSet/Control/SecurePipeServers/Winreg key. This means that only admins can access the registry remotely. However, those same users would have more access to the registry via a local command line. Most people aren't aware of how to do that from a CLI, but tools do exist which can be used. If you're going to allow a user to come in via a remote shell, you also ought to go look at the privileges that everyone, interactive and users have to edit things in the registry. The main key that is going to need attention is HKLM\Software, esp. HKLM\Software\Classes. Note that some of the registry hacks I found which affect the HKLM\Software\Microsoft\Windows key could lead to gaining higher access. Look under advisories by date on http://www.microsoft.com/security for some more details, or RTFM the help system of the ISS NT scanner (I'm sure you must have a copy somewhere <g>). I would also remove access to interactive for the HKLM\Software\Classes\AppID key and subkeys. Changing the association of .reg files with regedit.exe is also smart. I believe Frank Ramos' DumpACL (see www.somarsoft.com) is a good tool to go find which users have access to what keys. I know it works well for the file system. David LeBlanc |Why would you want to have your desktop user, dleblanc () mindspring com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
Current thread:
- Re: NT configuration caution, (continued)
- Re: NT configuration caution Zacharopoulos Dimitris (Apr 21)
- New IE4 bug w/Active Desktop installed Brian Krahmer (Apr 21)
- Re: New IE4 bug w/Active Desktop installed Max Vision (Apr 21)
- Vulnerability in HP OpenMail David Jones (Apr 21)
- Re: Vulnerability in HP OpenMail Richi Jennings (Apr 23)
- smbmount problem? Chris Evans (Apr 21)
- Re: smbmount problem? Czako Krisztian (Apr 21)
- Re: NT configuration caution David LeBlanc (Apr 21)
- Re: NT configuration caution Tim Newsham (Apr 21)
- hole in Inet Explorer Cacaio Torquato (Nov 04)
- Re: NT configuration caution David LeBlanc (Apr 22)
- Linux possible problem? Kyle McLerren (Apr 22)
- Vulnerability in OpenBSD, FreeBSD-stable lprm. Niall Smart (Apr 22)