Home page logo

bugtraq logo Bugtraq mailing list archives

Re: NT configuration caution
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 21 Apr 1998 09:38:58 -0400

At 07:34 PM 4/20/98 -0400, George wrote:
Hi Folks,

I don't know exactly how common this is, and it certainly isn't a bug, but
I've seen it enough that I think this post is justified.

Configuration: NT4, IIS, Frontpage Extensions, Resource Kit.

For a while now NT admins have had it easy because unlike UNIX, NT does not
allow folks to get remote command line access for most of the types of
connections it supports.

It seems a lot of system administrators like to install the reskit and
along with it use the rcmdsvc for remote control of their servers. rcmd
allows one to get a remote command line much like telnet does with Unix.

The problem comes in with the FrontPage extensions on NT (or any FTPD that
requires users be entered into the NT user database). Each user who has a
FP enabled website gets an account in the NT user database and this account
gets the "logon locally" permission. What this in effect does is give
everyone with a FP enabled website, access to the machine via rcmd as well
as FP. Worse yet when they connect it dumps them right into the
\winnt\system32 directory. From there they can TYPE files or EDLIN or any
of the numerous tricks that the Unix admins have had to deal with for
years. Depending on the configuration of the machine, many times it also
gives them exec permissions for lots of programs and combined with the FP
capability to download any program they want to the machine could make for
a very dangerous combination. (how hard would it be to list the
frontpage.ini file for example, a quick DIR FRONTP*.* /s and then a simple
TYPE \path\FRONTPAGE.INI | more)

The solution to this configuration error is to stop the rcmd service on the
server and when you need access use the netsvc command to start it. Since
only the admin has the permissions to stop and start services I think this
should pretty much cure the problem. However I'd really like to hear from
anyone who has ideas on this one.

Rcmd shouldn't be used in the first place - a better alternative exists.
In the server resource kit, update 1, there is a "Remote Console".  Remote
Console has several advantages - for one thing, it properly handles apps
which manipulate screen memory - rcmd just redirects stdin and stdout.
Perhaps the most important aspect is that it does properly impersonate the
logged in user - and those users are controlled by a special group which
remote console installs.  Also, it works from the "right to log on as a
batch file", not the "right to log on locally".  All in all, a much better
solution.  Further, IIRC, some versions of rcmd don't end up impersonating
the user, so all commands run as LocalSystem (much, much worse).

Even so, the file system permissions definately need some tightening -
anything under c:\program files has full access to everyone.  Also, IIS
seems not to change any of the existing file permissions, just taking
whatever is inherited from the directory you installed into.

Worrying about people typing files out isn't your problem - most of NT's
sensitive info won't be in text files.  Where the problem comes in is where
someone actually has permissions to change files - installing trojans into
c:\program files would be child's play.

David LeBlanc           |Why would you want to have your desktop user,
dleblanc () mindspring com |your mere mortals, messing around with a 32-bit
                        |minicomputer-class computing environment?
                        |Scott McNealy

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]