RE: Access a remote registry

[Steve Skoronski <skoronski () ctidata com>]

        I am going to assume this is in a professional testing environment
(audit, assessment, etc...). H Carvey raises a very valid point, if a tool
finds a problem, is it *really* a problem? According to who? Microsoft may
claim it's a 'feature', and the tool vendor may demonstrate how it
compromises security. 

        The answer lies in the auditor or pen-tester. Your duty is to
assess, manage risk, and mitigate those risks. You always have to keep the
client's best interests in mind. If ISS or Retina are pumping out
vulnerability reports, it's not enough to read these and present them as a
report. Verification, (in this case can be done by attempting to read or
write information to the remote registry) is required. If there is a
vulnerability, it must be measured in terms of risk (but this is a whole
other domain). In some instances, i.e.: if its going to cost a lot of money
to protect a network from a certain attack (DDOS) then a verification that
this can actually be done is often requested.  


Steve

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: Friday, May 18, 2001 9:39 AM
To: pen-test () securityfocus com
Subject: Re: Access a remote registry




> I'm checking the security of a Windows NT 
server. I have first used Retina
> to get a general overview of the server, and 
it has discovered that the
> Guest user has access to the registry.

This post brings up another issue...validation.  
Retina reports that the Guest account is 
allowed access to the Registry remotely...but 
how is this validated.

ISS's Internet Scanner used (v5.8,v6.0) used to 
report that the AutoAdminLogon functionality 
existed if the value was set to '0', which 
according to Microsoft is incorrect.  
Rebooting the system proved this.

The point is...if a commercial tool reports a 
vulnerability, and it's not able to be 
replicated, then whom do you believe?