Re: [NTSEC] ALERT: SLMail 3.2 (and 3.1) with the Remote

[dleblanc () ISS NET (David LeBlanc)]

At 06:36 2/25/99 +0000, mnemonix wrote:

> Solution
> Because of this Remote Administration should be DISABLED. If this is not
> viable then the only way to prevent an unauthorized users (those with
> accounts) is to remove the "Access this computer from the Network" user
> right from the "Everybody" group and give this privilege to Administrators
> only.

You may want to verify that this is truly the case.  Most of the time, the
only thing that "Log on from the network" affects is services available via
IPC$.  That's why you see services that restrict users on the basis of
logging on locally, logging on as services, and even logging on as a batch
file.  Given that this service doesn't seem to be impersonating users, I
would be surprised if that right actually shuts down this avenue of attack.
 If you've already verified this, my apologies.

It sounds to me like disabling it may be the only really safe choice.


-----------------------------------------------------------
David LeBlanc
Internet Security Systems, Inc. | Voice: (678)443-6138
300 Embassy Row.                | Fax:   (678)443-6479
6600 Peachtree-Dunwoody Road NE | E-Mail:  dleblanc () iss net
Atlanta, GA 30328               | www: http://www.iss.net/