Home page logo
/

basics logo Security Basics mailing list archives

RE: Re[2]: Messenger service abuse (from inside the network)
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 4 Dec 2003 14:56:15 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

        I think someone already mentioned it; you can lockdown the
command
line from the GP, which will stop some. If they use a batch script
ACL'ing the net command and you should be good.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

- -----Original Message-----
From: Alexander Lukyanenko [mailto:sashman () ua fm] 
Sent: Thursday, December 04, 2003 2:35 PM
To: Shawn Jackson
Cc: security-basics () securityfocus com
Subject: Re[2]: Messenger service abuse (from inside the network)

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Shawn et al.
Thank you all for the responces...

SJ>     One account for all those students...*wimper*.
300+students' accounts for a 10-boxen domain powered by one wimpy
Cel 1200 would kill the poor server's storage.
It works fine, even when there's Unreal running at the DC %)
Don't tell me about redundancy, they'll wait for logon for some 10
minutes if the DC is down. :) The AD domain is mostly for fun there,
no time-critical stuff, just a playground to learn some administration
basics without doing any real harm if something goes wrong.

SJ> You just angered
SJ> the Audit gods! I assume they are using the net command for it:
SJ> net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U
they {abusers} make it even simpler:
net send * foobar

SJ>     Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make
SJ> sure you got everything locked down on the system (gpedit.msc). Also
SJ> make sure they aren't installing any software for messenger
spamming.
Don't worry, everything is GP'ed to the `minimum working' state, they
can't write even to the HKCU, not to mention that they can't control
services, install programs etc,  but the messenger service (or an
analogue)
is still needed... Pro'lly I'll have to write one myself (won't be
hard, as I have a remote administration project at rced.sf.net,
currently in a neglected state).

SJ> Shawn Jackson
SJ> Systems Administrator
SJ> Horizon USA
SJ> 1190 Trademark Dr #107
SJ> Reno NV 89521
SJ> www.horizonusa.com

SJ> Email: sjackson () horizonusa com
SJ> Phone: (775) 858-2338
SJ>        (800) 325-1199 x338

SJ> -----Original Message-----
SJ> From: Alexander Lukyanenko [mailto:sashman () ua fm]
SJ> Sent: Wednesday, December 03, 2003 11:58 AM
SJ> To: security-basics () securityfocus com
SJ> Subject: Messenger service abuse (from inside the network)

SJ> -----BEGIN PGP SIGNED MESSAGE-----
SJ> Hash: SHA1

SJ> Hello list.
SJ> I administer a high school network running W2K Pro in an Active
SJ> Directory domain.

SJ> The problem is that the users abuse the Messenger service by sending
SJ> some mischief over the network (furthermore, they even write batch
SJ> files that repeatedly flood the domain with same text).
SJ> Is there a way to prevent this, except by changing net.exe's
SJ> ACL on all machines (or beating the offenders after classes :)?
SJ> Stopping Messenger service on the workstations is not a solution, as
it
SJ> is used for sending various administrative messages.
SJ> All students share a common AD account (it would be cumbersome to
SJ> maintain 300+ user accounts, as most of them use the PCs for short
SJ> periods only).

SJ> Best regards
SJ> * * * * * * * * * * * * * * *
SJ> * Alexander V. Lukyanenko   *
SJ> * ma1lt0: sashman ua fm     *
SJ> * ICQ#  : 86195208          *
SJ> * Phone : +380 44 458 07 23 *
SJ> * OpenPGP key ID: 75EC057C  *
SJ> * NIC   : SASH4-UANIC       *
SJ> * * * * * * * * * * * * * * *
SJ> -----BEGIN PGP SIGNATURE-----
SJ> Version: GnuPG v1.2.3 (MingW32)

SJ> iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR
SJ> kUWN82Zu6d+xu0bMpfQ2GlM=
SJ> =cpq+
SJ> -----END PGP SIGNATURE-----


SJ>
------------------------------------------------------------------------
SJ> ---
SJ>
------------------------------------------------------------------------
SJ> ----
* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* ma1lt0: sashman ua fm     *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQE/z7Z+lz+8e3XsBXwRAhY/AKCZUzDvp++YLs9LlXgeyT3UJTfoJwCeMCRb
UxS9Rpu3NqOX0lI53PJ2mkE=
=r2wC
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP8+7jlSK0SrgMOc3EQJ+vgCglvcQnS/whviN4ZOdqQvyn2OlpawAn36E
pksDrB2Dveahhh3+4if/4Mx1
=53hT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault