[72] in Best-of-Security
BoS: Possible SEB warning.
daemon@ATHENA.MIT.EDU (Russ)
Fri Mar 14 06:24:04 1997
Date: Thu, 13 Mar 1997 23:19:32 -0500
Reply-To: Windows NT BugTraq Mailing List <NTBUGTRAQ@RC.ON.CA>,
Russ <Russ.Cooper@RC.ON.CA>
From: Russ <Russ.Cooper@RC.ON.CA>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
So I'm going to try and formulate the list policy as I go along, so
please don't get too upset with me if I violate my own rules...;-]
Reading the README.WRI file included with MS Exchange Server 5.0, I came
across this little perl of wisdom.
-----
Microsoft Exchange Server Administrators Need Local Computer
Administrator Rights
Many operations done by the Administrator program require it to write
both to the Microsoft Exchange Server directory and the Windows NT
registry of the target server. Windows NT 4.0 requires that users have
administrator rights on servers to access the registry. Previous
versions of Windows NT did not impose this restriction.
Installing Windows NT 4.0 Service Pack 3 alleviates this problem. To
guarantee successful completion of tasks in the Administrator program on
previous versions of Windows NT 4.0, users should have Administrator
permissions on the Microsoft Exchange Server directory objects they need
to change and Windows NT administrator rights on target servers.
Remotely installing new services, such as the Internet Mail Service or
the Internet News Service, requires Windows NT administrator rights on
all versions of Windows NT.
-----
So I would read this to mean that a change has been made such that the
MS Exchange Administrator program (MAD) no longer needs to be run as
Administrator, a good thing(tm), but it seems to have done this by
somehow bypassing or modifying the ACL on the winreg registry entry
permitting the user that is running MAD the ability to access registries
on local and remote machines. I have yet to determine how it does this
or to which machines this facility is permitted. Logic would dictate
that it would only permit access to the registry keys which MSX uses,
but how that kind of restriction would be done on remote machines is
beyond me (and ideas as to how it might do it are scary).
This is obviously a "feature" included in NT 4.0 SP3. Any info regarding
how this has been implemented, or the changes it makes to registries,
would be appreciated.
Also, despite the fact that the README.WRI says that NT 4.0 SP3 is
available from their FTP site, its still not there.
