[3000] in WWW Security List Archive
RE: [NTSEC] NT Security, Netscape and the Registry
daemon@ATHENA.MIT.EDU (Seder Robert C)
Thu Sep 19 15:38:57 1996
From: Seder Robert C <sederrc@exchange.phs.com>
To: "ntsecurity@iss.net" <ntsecurity@iss.net>,
"www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>,
"'Skip4004@aol.com'" <Skip4004@aol.com>
Date: Thu, 19 Sep 1996 10:45:44 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
>----------
>From: Skip4004@aol.com
>Sent: Wednesday, September 18, 1996 6:02 PM
>To: ntsecurity@iss.net; www-security@ns2.rutgers.edu
>Subject: [NTSEC] NT Security, Netscape and the Registry
>
>I'm somewhat at shock on how many systems have tight file security while
>overlooking the NT registry. I assumed that most adminstrators would make use
>of the C2 security tool included in the resource kit to lock the registry,
>evidently this is not the case. Amongst reaking general havoc, by remotely
>manipulating the registry, it's extremely easy to lock
>out the administrator on Netscape's Commerce Server and install a new
>administrator account. True the server must be restarted for the changes to
This is a Netscape bug - they should be made aware. In thier software,
when they create a Regsitry key, they SHOULD be setting the ACL's
immediately after...
>take effect and the registry set to the default security permissions. My
>question is why did Netscape make it so easy, knowing about the default
>setting of NT's registry?
>
>By the way I'm currently in the process of correcting this problem within our
>domain, in case you're wondering why I'm stooping so low as to use AOL.
Sharp call!
>
