Home page logo

bugtraq logo Bugtraq mailing list archives

NT configuration caution
From: georger () NLS NET (George)
Date: Mon, 20 Apr 1998 19:34:30 -0400

Hi Folks,

I don't know exactly how common this is, and it certainly isn't a bug, but
I've seen it enough that I think this post is justified.

Configuration: NT4, IIS, Frontpage Extensions, Resource Kit.

For a while now NT admins have had it easy because unlike UNIX, NT does not
allow folks to get remote command line access for most of the types of
connections it supports.

It seems a lot of system administrators like to install the reskit and
along with it use the rcmdsvc for remote control of their servers. rcmd
allows one to get a remote command line much like telnet does with Unix.

The problem comes in with the FrontPage extensions on NT (or any FTPD that
requires users be entered into the NT user database). Each user who has a
FP enabled website gets an account in the NT user database and this account
gets the "logon locally" permission. What this in effect does is give
everyone with a FP enabled website, access to the machine via rcmd as well
as FP. Worse yet when they connect it dumps them right into the
\winnt\system32 directory. From there they can TYPE files or EDLIN or any
of the numerous tricks that the Unix admins have had to deal with for
years. Depending on the configuration of the machine, many times it also
gives them exec permissions for lots of programs and combined with the FP
capability to download any program they want to the machine could make for
a very dangerous combination. (how hard would it be to list the
frontpage.ini file for example, a quick DIR FRONTP*.* /s and then a simple
TYPE \path\FRONTPAGE.INI | more)

The solution to this configuration error is to stop the rcmd service on the
server and when you need access use the netsvc command to start it. Since
only the admin has the permissions to stop and start services I think this
should pretty much cure the problem. However I'd really like to hear from
anyone who has ideas on this one.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]