Local Group creation on NT

[dleblanc () MINDSPRING COM (David LeBlanc)]

NT allows any user to create local groups on the domain controller.  This
is meant to allow people to set access controls easily.  If not abused, it
is a Good Thing.  Many of us have known about this for years.  However, if
you create a LOT of groups, you'll fill up the registry, make the SAM
really huge, and crash the server.  It will be a real PITA to clean up the
mess, too.

The guys over at Infoworld thoughtfully posted a BASIC script which allows
any user (even users without a brain) to use this feature to down an NT
domain controller.  Note that all copies of NT come with a BASIC
interpreter (oh, joy).

There will be a fix RSN from Microsoft which will let us place configurable
access controls on this - Russ Cooper posted an older version, but it has
some bugs.

In the meantime, I wrote a little app to help with this issue.  It attaches
to the security logs and watches for someone adding new groups.  If it sees
10 groups out of the same user within an hour, it then disables the user's
account and tosses them off the server.  My app can be had from
http://www.ntbugtraq.com/downloads/groupmonitor.asp

Feature requests, complaints, etc, should be directed to
dleblanc () mindspring com

This is 0.9 version-level code, so I could have screwed something up.  USE
AT YOUR OWN RISK.  Do not test this from your only known admin account, or
you will lock yourself out of your server (I did... whups).  It isn't
intended to be full-featured, and was only what I could crank out in a
couple of hours.  I may decide to improve it, depending on how energetic I
feel.

BTW, Russ doesn't have much bandwidth - if anyone wants to mirror it,
please do - let Russ and myself know, he'll update his page.


David LeBlanc
dleblanc () mindspring com