[6575] in bugtraq
Re: NT configuration caution
daemon@ATHENA.MIT.EDU (David LeBlanc)
Wed Apr 22 12:13:33 1998
Date: Wed, 22 Apr 1998 08:11:31 -0400
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Tim Newsham <newsham@LAVA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <m0yRi1m-00119MC@malasada.lava.net>
At 08:44 AM 4/21/98 -1000, Tim Newsham wrote:
>> The problem comes in with the FrontPage extensions on NT (or any FTPD that
>> requires users be entered into the NT user database). Each user who has a
>> FP enabled website gets an account in the NT user database and this account
>> gets the "logon locally" permission. What this in effect does is give
>Can users also connect to the registry with these accounts?
Typically not - a normal server has admin:F only on the HKLM/System/
CurrentControlSet/Control/SecurePipeServers/Winreg key. This means that
only admins can access the registry remotely.
However, those same users would have more access to the registry via a
local command line. Most people aren't aware of how to do that from a CLI,
but tools do exist which can be used. If you're going to allow a user to
come in via a remote shell, you also ought to go look at the privileges
that everyone, interactive and users have to edit things in the registry.
The main key that is going to need attention is HKLM\Software, esp.
HKLM\Software\Classes. Note that some of the registry hacks I found which
affect the HKLM\Software\Microsoft\Windows key could lead to gaining higher
access. Look under advisories by date on http://www.microsoft.com/security
for some more details, or RTFM the help system of the ISS NT scanner (I'm
sure you must have a copy somewhere <g>). I would also remove access to
interactive for the HKLM\Software\Classes\AppID key and subkeys.
Changing the association of .reg files with regedit.exe is also smart.
I believe Frank Ramos' DumpACL (see www.somarsoft.com) is a good tool to go
find which users have access to what keys. I know it works well for the
file system.
David LeBlanc |Why would you want to have your desktop user,
dleblanc@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy
