[2986] in WWW Security List Archive
NT Security, Netscape and the Registry
daemon@ATHENA.MIT.EDU (Skip4004@aol.com)
Wed Sep 18 23:03:06 1996
From: Skip4004@aol.com
Date: Wed, 18 Sep 1996 21:02:39 -0400
To: ntsecurity@iss.net, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I'm somewhat at shock on how many systems have tight file security while
overlooking the NT registry. I assumed that most adminstrators would make use
of the C2 security tool included in the resource kit to lock the registry,
evidently this is not the case. Amongst reaking general havoc, by remotely
manipulating the registry, it's extremely easy to lock
out the administrator on Netscape's Commerce Server and install a new
administrator account. True the server must be restarted for the changes to
take effect and the registry set to the default security permissions. My
question is why did Netscape make it so easy, knowing about the default
setting of NT's registry?
By the way I'm currently in the process of correcting this problem within our
domain, in case you're wondering why I'm stooping so low as to use AOL.
