Security Basics mailing list archives
RE: Re[2]: Messenger service abuse (from inside the network)
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 4 Dec 2003 14:56:15 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think someone already mentioned it; you can lockdown the command line from the GP, which will stop some. If they use a batch script ACL'ing the net command and you should be good. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 - -----Original Message----- From: Alexander Lukyanenko [mailto:sashman () ua fm] Sent: Thursday, December 04, 2003 2:35 PM To: Shawn Jackson Cc: security-basics () securityfocus com Subject: Re[2]: Messenger service abuse (from inside the network) - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Shawn et al. Thank you all for the responces... SJ> One account for all those students...*wimper*. 300+students' accounts for a 10-boxen domain powered by one wimpy Cel 1200 would kill the poor server's storage. It works fine, even when there's Unreal running at the DC %) Don't tell me about redundancy, they'll wait for logon for some 10 minutes if the DC is down. :) The AD domain is mostly for fun there, no time-critical stuff, just a playground to learn some administration basics without doing any real harm if something goes wrong. SJ> You just angered SJ> the Audit gods! I assume they are using the net command for it: SJ> net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U they {abusers} make it even simpler: net send * foobar SJ> Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make SJ> sure you got everything locked down on the system (gpedit.msc). Also SJ> make sure they aren't installing any software for messenger spamming. Don't worry, everything is GP'ed to the `minimum working' state, they can't write even to the HKCU, not to mention that they can't control services, install programs etc, but the messenger service (or an analogue) is still needed... Pro'lly I'll have to write one myself (won't be hard, as I have a remote administration project at rced.sf.net, currently in a neglected state). SJ> Shawn Jackson SJ> Systems Administrator SJ> Horizon USA SJ> 1190 Trademark Dr #107 SJ> Reno NV 89521 SJ> www.horizonusa.com SJ> Email: sjackson () horizonusa com SJ> Phone: (775) 858-2338 SJ> (800) 325-1199 x338 SJ> -----Original Message----- SJ> From: Alexander Lukyanenko [mailto:sashman () ua fm] SJ> Sent: Wednesday, December 03, 2003 11:58 AM SJ> To: security-basics () securityfocus com SJ> Subject: Messenger service abuse (from inside the network) SJ> -----BEGIN PGP SIGNED MESSAGE----- SJ> Hash: SHA1 SJ> Hello list. SJ> I administer a high school network running W2K Pro in an Active SJ> Directory domain. SJ> The problem is that the users abuse the Messenger service by sending SJ> some mischief over the network (furthermore, they even write batch SJ> files that repeatedly flood the domain with same text). SJ> Is there a way to prevent this, except by changing net.exe's SJ> ACL on all machines (or beating the offenders after classes :)? SJ> Stopping Messenger service on the workstations is not a solution, as it SJ> is used for sending various administrative messages. SJ> All students share a common AD account (it would be cumbersome to SJ> maintain 300+ user accounts, as most of them use the PCs for short SJ> periods only). SJ> Best regards SJ> * * * * * * * * * * * * * * * SJ> * Alexander V. Lukyanenko * SJ> * ma1lt0: sashman ua fm * SJ> * ICQ# : 86195208 * SJ> * Phone : +380 44 458 07 23 * SJ> * OpenPGP key ID: 75EC057C * SJ> * NIC : SASH4-UANIC * SJ> * * * * * * * * * * * * * * * SJ> -----BEGIN PGP SIGNATURE----- SJ> Version: GnuPG v1.2.3 (MingW32) SJ> iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR SJ> kUWN82Zu6d+xu0bMpfQ2GlM= SJ> =cpq+ SJ> -----END PGP SIGNATURE----- SJ> ------------------------------------------------------------------------ SJ> --- SJ> ------------------------------------------------------------------------ SJ> ---- * * * * * * * * * * * * * * * * Alexander V. Lukyanenko * * ma1lt0: sashman ua fm * * ICQ# : 86195208 * * Phone : +380 44 458 07 23 * * OpenPGP key ID: 75EC057C * * NIC : SASH4-UANIC * * * * * * * * * * * * * * * * - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/z7Z+lz+8e3XsBXwRAhY/AKCZUzDvp++YLs9LlXgeyT3UJTfoJwCeMCRb UxS9Rpu3NqOX0lI53PJ2mkE= =r2wC - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP8+7jlSK0SrgMOc3EQJ+vgCglvcQnS/whviN4ZOdqQvyn2OlpawAn36E pksDrB2Dveahhh3+4if/4Mx1 =53hT -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Messenger service abuse (from inside the network), (continued)
- Re: Messenger service abuse (from inside the network) Brad Arlt (Dec 04)
- Re: Messenger service abuse (from inside the network) Jimi Thompson (Dec 08)
- RE: Messenger service abuse (from inside the network) Stephen McCauley (Dec 04)
- Re: Messenger service abuse (from inside the network) gregh (Dec 04)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 04)
- RE: Messenger service abuse (from inside the network) Zachary Mutrux (Dec 05)
- RE: Messenger service abuse (from inside the network) Mark Harris (Dec 09)
- RE: Messenger service abuse (from inside the network) Rod Trent (Dec 09)
- Re: Messenger service abuse (from inside the network) Brad Arlt (Dec 04)
- RE: Messenger service abuse (from inside the network) Hunt, Jim (Dec 04)
- RE: Re[2]: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
- Re[4]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Nero, Nick (Dec 04)
- RE: Messenger service abuse (from inside the network) Camp, Mr Tony J. (Dec 05)
- Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 05)
- RE: Messenger service abuse (from inside the network) Day, David (Dec 08)