Penetration Testing mailing list archives

RE: Access a remote registry

From: H C <keydet89 () yahoo com>
Date: Fri, 18 May 2001 15:08:13 -0700 (PDT)

      I am going to assume this is in a professional
testing environment
(audit, assessment, etc...). H Carvey raises a very
valid point, if a tool
finds a problem, is it *really* a problem? According
to who? Microsoft may
claim it's a 'feature', and the tool vendor may
demonstrate how it
compromises security.


Reading the responses on this thread, I am seeing two
parallel areas...

1.  Is the vulnerability discovered by a commercial
tool _really_ a vulnerability?  Yes, the commercial
product may correctly identify the condition, however,
in the overall view, is it really an issue.  Or,
perhaps more appropriately, is the severity of the
vulnerability appropriate, given the infrastructure?

2.  Was the condition correctly tested?  Was the test
conducted, and the result correctly interpreted?  For
example, let's look at the issue of the AutoAdminLogon
Registry value.  Microsoft says that if this value is
set to 1 (on NT 4.0), then whichever password appears
(in plain text) in the DefaultPassword value is used
to automatically log that username in when the system
starts.  If the value is 0, the system will not
automatically login any account via this
functionality.  However, ISS 5.8 and 6.0 would report
a serious vulnerability if the presence of the value
was detected, regardless of the data (1 or 0). 
Without verification via some other means, this could
lead to a potentially embarassing situation for the
consultant.

With commercial tools, the issue seems to be which one
detects more vulnerabilities.  Of course, the
discussion then digresses to what defines a
'vulnerability'.

Rather than taking a step forward, I would suggest
taking a step back.  Using automated tools to collect
configuration information, which is then interpreted
by a knowledgeable security professional or sysadmin
is really the only way to conduct a thorough
vulnerability assessment.  Particularly on NT/2K, this
requires that admins 'get under the hood' a little
bit...but then, it becomes an issue of 'cost'.  Do you
want to pay the 'cost' of thousands of dollars for
tools and consultants, or do you want to pay the
'cost' of picking up some books, getting some
information, and learning something new?

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Current thread:

Access a remote registry BrainSCAN (May 15)
- Re: Access a remote registry H D Moore (May 15)
- RE: Access a remote registry Vladimir Kraljevic (May 15)
- <Possible follow-ups>
- Re: Access a remote registry H Carvey (May 18)
- RE: Access a remote registry Steve Skoronski (May 19)
  - RE: Access a remote registry H C (May 19)