Penetration Testing mailing list archives
RE: Access a remote registry
From: H C <keydet89 () yahoo com>
Date: Fri, 18 May 2001 15:08:13 -0700 (PDT)
I am going to assume this is in a professional testing environment (audit, assessment, etc...). H Carvey raises a very valid point, if a tool finds a problem, is it *really* a problem? According to who? Microsoft may claim it's a 'feature', and the tool vendor may demonstrate how it compromises security.
Reading the responses on this thread, I am seeing two parallel areas... 1. Is the vulnerability discovered by a commercial tool _really_ a vulnerability? Yes, the commercial product may correctly identify the condition, however, in the overall view, is it really an issue. Or, perhaps more appropriately, is the severity of the vulnerability appropriate, given the infrastructure? 2. Was the condition correctly tested? Was the test conducted, and the result correctly interpreted? For example, let's look at the issue of the AutoAdminLogon Registry value. Microsoft says that if this value is set to 1 (on NT 4.0), then whichever password appears (in plain text) in the DefaultPassword value is used to automatically log that username in when the system starts. If the value is 0, the system will not automatically login any account via this functionality. However, ISS 5.8 and 6.0 would report a serious vulnerability if the presence of the value was detected, regardless of the data (1 or 0). Without verification via some other means, this could lead to a potentially embarassing situation for the consultant. With commercial tools, the issue seems to be which one detects more vulnerabilities. Of course, the discussion then digresses to what defines a 'vulnerability'. Rather than taking a step forward, I would suggest taking a step back. Using automated tools to collect configuration information, which is then interpreted by a knowledgeable security professional or sysadmin is really the only way to conduct a thorough vulnerability assessment. Particularly on NT/2K, this requires that admins 'get under the hood' a little bit...but then, it becomes an issue of 'cost'. Do you want to pay the 'cost' of thousands of dollars for tools and consultants, or do you want to pay the 'cost' of picking up some books, getting some information, and learning something new? __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Current thread:
- Access a remote registry BrainSCAN (May 15)
- Re: Access a remote registry H D Moore (May 15)
- RE: Access a remote registry Vladimir Kraljevic (May 15)
- <Possible follow-ups>
- Re: Access a remote registry H Carvey (May 18)
- RE: Access a remote registry Steve Skoronski (May 19)
- RE: Access a remote registry H C (May 19)