Security Basics mailing list archives

Re[2]: Messenger service abuse (from inside the network)

From: Alexander Lukyanenko <sashman () ua fm>
Date: Fri, 5 Dec 2003 21:39:47 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Mr. Tony J. Camp
The box IS secured, no CD-ROM drives are present, floppy drives are
disabled from the BIOS (which is password-protected), the HDD is the
only device mentioned in the bootup sequence. The physical
modification is not possible (the users dare not to do anything to the
hardware).
The /boot partition (errm, no /boot on Windows, I mean the C: drive
where the ntldr lives) is NTFS and is correctly ACL'ed.

Friday, December 5, 2003, 3:23:02 PM, you wrote:

CMTJ> For this to be effective, the box will need to be physically secured as
CMTJ> well.  Disable CD booting in the BIOS, password protect the BIOS, and put a
CMTJ> padlock on the case (to prevent BIOS reset by jumper).  Otherwise they could
CMTJ> just boot to a certain cd, blank the local admin password, and reset the ACL
CMTJ> on the net command.

CMTJ> -----Original Message-----
CMTJ> From: Shawn Jackson [mailto:sjackson () horizonusa com]
CMTJ> Sent: Wednesday, December 03, 2003 7:48 PM
CMTJ> To: Alexander Lukyanenko; security-basics () securityfocus com
CMTJ> Subject: RE: Messenger service abuse (from inside the network)



CMTJ>   One account for all those students...*wimper*. You just angered the
CMTJ> Audit gods! I assume they are using the net command for it:

CMTJ>   net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U

CMTJ>   Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make sure
CMTJ> you got everything locked down on the system (gpedit.msc). Also make sure
CMTJ> they aren't installing any software for messenger spamming.

CMTJ> Shawn Jackson
CMTJ> Systems Administrator
CMTJ> Horizon USA
CMTJ> 1190 Trademark Dr #107
CMTJ> Reno NV 89521
CMTJ> www.horizonusa.com

CMTJ> Email: sjackson () horizonusa com
CMTJ> Phone: (775) 858-2338
CMTJ>        (800) 325-1199 x338

CMTJ> -----Original Message-----
CMTJ> From: Alexander Lukyanenko [mailto:sashman () ua fm]
CMTJ> Sent: Wednesday, December 03, 2003 11:58 AM
CMTJ> To: security-basics () securityfocus com
CMTJ> Subject: Messenger service abuse (from inside the network)

CMTJ> -----BEGIN PGP SIGNED MESSAGE-----
CMTJ> Hash: SHA1

CMTJ> Hello list.
CMTJ> I administer a high school network running W2K Pro in an Active Directory
CMTJ> domain.

CMTJ> The problem is that the users abuse the Messenger service by sending some
CMTJ> mischief over the network (furthermore, they even write batch files that
CMTJ> repeatedly flood the domain with same text). Is there a way to prevent this,
CMTJ> except by changing net.exe's ACL on all machines (or beating the offenders
CMTJ> after classes :)? Stopping Messenger service on the workstations is not a
CMTJ> solution, as it is used for sending various administrative messages. All
CMTJ> students share a common AD account (it would be cumbersome to maintain 300+
CMTJ> user accounts, as most of them use the PCs for short periods only).

CMTJ> Best regards
CMTJ> * * * * * * * * * * * * * * *
CMTJ> * Alexander V. Lukyanenko   *
CMTJ> * ma1lt0: sashman ua fm     *
CMTJ> * ICQ#  : 86195208          *
CMTJ> * Phone : +380 44 458 07 23 *
CMTJ> * OpenPGP key ID: 75EC057C  *
CMTJ> * NIC   : SASH4-UANIC       *
CMTJ> * * * * * * * * * * * * * * *
CMTJ> -----BEGIN PGP SIGNATURE-----
CMTJ> Version: GnuPG v1.2.3 (MingW32)

CMTJ> iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR
CMTJ> kUWN82Zu6d+xu0bMpfQ2GlM=
CMTJ> =cpq+
CMTJ> -----END PGP SIGNATURE-----


CMTJ> ------------------------------------------------------------------------
CMTJ> ---
CMTJ> ------------------------------------------------------------------------
CMTJ> ----


CMTJ> ---------------------------------------------------------------------------
CMTJ> ----------------------------------------------------------------------------

CMTJ> ---------------------------------------------------------------------------
CMTJ> ----------------------------------------------------------------------------




* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* ma1lt0: sashman ua fm     *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQE/0N8Jlz+8e3XsBXwRAk0DAJ4+EhxfVFz7MgTkmCm1gKiZanAflgCcDvr/
txJbAjFc7YeZtS9AN5FOfgM=
=nn1R
-----END PGP SIGNATURE-----

Current thread:

RE: Messenger service abuse (from inside the network), (continued)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
  - Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 04)
  - RE: Messenger service abuse (from inside the network) Zachary Mutrux (Dec 05)
    - RE: Messenger service abuse (from inside the network) Mark Harris (Dec 09)
    - RE: Messenger service abuse (from inside the network) Rod Trent (Dec 09)
- RE: Messenger service abuse (from inside the network) Hunt, Jim (Dec 04)
- RE: Re[2]: Messenger service abuse (from inside the network) Shawn Jackson (Dec 04)
  - Re[4]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Nero, Nick (Dec 04)
- RE: Messenger service abuse (from inside the network) Camp, Mr Tony J. (Dec 05)
  - Re[2]: Messenger service abuse (from inside the network) Alexander Lukyanenko (Dec 05)
- RE: Messenger service abuse (from inside the network) Shawn Jackson (Dec 05)
- RE: Messenger service abuse (from inside the network) Day, David (Dec 08)