Re: [NTSEC] ALERT: SLMail 3.2 (and 3.1) with the Remote

[mnemonix () GLOBALNET CO UK (mnemonix)]

> > Solution
> > Because of this Remote Administration should be DISABLED. If this is not
> > viable then the only way to prevent an unauthorized users (those with
> > accounts) is to remove the "Access this computer from the Network" user
> > right from the "Everybody" group and give this privilege to Administrators
> > only.
>
> You may want to verify that this is truly the case.  Most of the time, the
> only thing that "Log on from the network" affects is services available via
> IPC$.  That's why you see services that restrict users on the basis of
> logging on locally, logging on as services, and even logging on as a batch
> file.  Given that this service doesn't seem to be impersonating users, I
> would be surprised if that right actually shuts down this avenue of attack.
> If you've already verified this, my apologies.
>
> It sounds to me like disabling it may be the only really safe choice.


I have verified this solution and it solves the problem of non-admins being
able to logon and change service settings. It works like IIS - Basic
Authenticated users are logged on locally and NTLM authenticated users are
logged on as a network user.

This solution may however break other network functionality such as NetBIOS
logons (Domain Authentication) and consequently all subsequent NetBIOS
network operations like use of file and printer shares.

Cheers,
David Litchfield
PS - I've updated NTInfoScan (4.2.2) to check to see if this service is
running. I've also put in a check for the /IISADMPWD issue. More information
about NTInfoScan can be found at http://www.infowar.co.uk/mnemonix