[100] in Best-of-Security
BoS: Re: NT backup tapes must be encrypted
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Mar 31 12:56:28 1997
Date: Mon, 31 Mar 1997 10:54:54 -0500
Reply-To: Windows NT BugTraq Mailing List <NTBUGTRAQ@RC.ON.CA>,
David LeBlanc <dleblanc@ISS.NET>
From: David LeBlanc <dleblanc@ISS.NET>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
[posted to NTBUGTRAQ and mailed]
At 14:39 3/29/97 -0800, you wrote:
>What do these have to do with preventing an admin from executing a
>trojan horse that dumps the hashed passwords and sends them to someone?
The difference is that I can swipe the password file from a UNIX box and if
all the passwords are complex, I don't get anything more than a list of
users. I can't use it to login anywhere - I have to start with the password.
With NT, I can use the hashed passwords to actually authenticate, so if the
file is stolen, you are automatically screwed, regardless of password
complexity. I would strongly suggest that you fix this so that there is an
additional layer of hashing such that you cannot work backwards from what is
in the registry to get something that can be used to authenticate.
This also has some implications regarding web based applications - right
now, IIS runs as system. This means that if I can find some way to subvert
your http server, I can get it to deliver me those keys, which I can then
feed back to it to come in as any user I please. Under UNIX, if I can
accomplish the same dirty deed and swipe the password file, I don't get
anywhere unless the passwords are weak. This sort of thing is one reason it
worries me to see IIS running as system - even if it has to run as a
high-level user, it should have a unique user context such that it can be
more easily controlled and limited.
-----------------------------------------------------------
David LeBlanc | Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (404)395-1972
41 Perimeter Center East | E-Mail: dleblanc@iss.net
Suite 660 | www: http://www.iss.net/
Atlanta, GA 30328 |
