RE: Networking security problem?

[Ron DuFresne <dufresne () winternet com>]

Though, if we are reading the issue correctly, there is a problem with the
firewall not being restrictive enough for access to the machine in
question.  that *is* an issue, and seems to be one that their security
policy is not functioning to address properly.  Afterall, they regard the
info on this system to be sensitive enough that [physical access be
restricted, but, since the machine does not require direct physical access
to touch in their environment, then they have gaps in their policy.

Thanks,

Ron DuFresne

On Fri, 11 Jul 2003 ben.eisel () qmtechnologies com wrote:

> i don't believe you are pedantic,  but i have no idea if you're a headbanger.
>
> i think that windows is already archaic enough without turning their attempt at a multiuser operating system back 
> into a single user one.
>
> - ben
>
> > -----Original Message-----
> > From: gregh [mailto:chows () ozemail com au]
> > Sent: Friday, 11 July 2003 10:56 AM
> > To: Disclosure Full
> > Subject: [Full-disclosure] Networking security problem?
> >
> >
> > Tested on XP Home and 98SE only.
> > ------------------------------------
> >
> >
> > I wont make this a real long formal thing as it is quite
> > simple and rather than make it a bug style report, I am
> > asking for your input.
> >
> > Scenario:
> > ----------
> >
> > Last year I was working on a 98SE network problem that turned
> > out to be a busted NIC. The particular NIC was in a payroll
> > machine with obviously very sensitive info in it. In order to
> > give some sense of security to the payroll woman, at some
> > time in the past, someone had set up a screen saver password
> > that she knew how to change. Eg, resume from screen saver
> > required typing the password to get any further on the
> > machine to a novice and as she kept the payroll room door
> > locked anyway, it was deemed "enough" by management.
> > Unfortunately, though, along came I to fix a minor problem
> > and to be sure the NIC was responding each way (eg, it could
> > be seen by the machine in the same office) I installed the
> > NIC, then went to the other machine to ping it and see if
> > programs were working OK. Normal routine. Prior to me getting
> > to the other machine, she had questions and we spent 10
> > minutes talking and then I went to the other machine and ran
> > programs, pinged, searched the C drive on the !  payroll
> > machine and came back to the payroll machine. I found the
> > machine was locked out by password and as she was standing
> > nearby, I got her to type the password in and away it all went.
> >
> > Then it hit me - I had been running programs on the payroll
> > machine from the other machine in the network. Curious, I
> > went to another office and did the same thing after forcing
> > the screen saver on. Again it all worked and I could look up
> > sensitive data. The LAN they have there does have internet
> > access and has a basic "out of the box" firewall and they
> > think they are safe. I pointed out how I easily got in from
> > within their office and others could do the same straight to
> > the payroll machine from outside but the manager said they
> > couldn't as "we have a firewall". Well, not wanting to push
> > the point as this was the first time I had been there, I left
> > it alone but then decided to report those findings to MS.
> > Eventually they did respond but they said they don't see it
> > as a problem but WOULD make it an OPTION in the next SP for
> > XP and also I presume the next full OS (Longhorn?) they issue.
> >
> > Am I being pedantic here? To my mind, if a password is
> > required to use the machine locally, it should automatically
> > require the network connection to be broken. XP goes back to
> > the Welcome screen depending on your settings or the NT
> > looking username and password box you would all know. I find
> > it totally mystifying that a machine that is "protected" at
> > keyboard level by a password so people cant get into it and
> > look up sensitive info can still be gotten into at least by
> > the local LAN and info STILL gained. The problem here is if a
> > disgruntled employee went postal and knew this info, he/she
> > could do what they want. I understand the programs and data
> > could be protected in other ways but it also hit me that
> > there must be quite a few small to medium companies living in
> > a delirious limbo like this, too.
> >
> > Any comments? Am I just pedantic or is this really a headbanger?
> >
> > Greg.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> OutboundAppend=
>
> This message and any attachment is confidential and may be privileged or otherwise protected from disclosure.  If you 
> have received it by mistake please let us know by reply and then delete it from your system; you should not copy the 
> message or disclose its contents to anyone.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html