Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NT configuration caution
From: seifried () SEIFRIED ORG (seifried () SEIFRIED ORG)
Date: Tue, 21 Apr 1998 00:45:49 -0600


The solution to this configuration error is to stop the rcmd service on the
server and when you need access use the netsvc command to start it. Since
only the admin has the permissions to stop and start services I think this
should pretty much cure the problem. However I'd really like to hear from
anyone who has ideas on this one.

Geo.

Several possible solutions to remote UNIX style management of NT machines:

To solve the RCMD.EXE problem (and quote the MS help files):

Security is provided in two ways:

The logged-on user must have interactive logon privileges on the target
computer in order to connect to it.

Any programs executed on the target computer are executed impersonating
the logged-on user. Any access validation (such as opening files) is performed
as if the user were logged on to the local computer.

So simply tighten up permission on the server, remember by default the
group everyone can pretty much run amuck on the system, so simply remove
the group everyone's (and any other global/local groups or users that do
not need access to the files/etc) permissions from any file/programs you
deem sensitive (which should be most of them), this will keep the FP users
out of trouble. A better solution would be to create a FP users group and
simply give then no access to any sensitive areas.

After quickly looking at the installation instructions for "RSHSVC.EXE:
TCP/IP Remote Shell Service" I noticed a "Open RSHSVC.HTM now" link. The
following is from rshsvc.htm:

 Security

   Contents

   In order to set up client access to the Remote Shell service, you must
   place a .rhosts file in the %Systemroot%\System32 folder\Drivers\Etc
   folder. The .rhosts file should contain one or more entries of the
   following type, each entry appearing on one line:

   <C1> <U1> [<U2> <U3> ....]

   where:

          C1 is the name of the computer from which the RSH client can be
          run

          U1, U2, and so on, are names of users who are granted access to
          the Remote Shell service.
     _________________________________________________________________

This is from NT Server Reskit Suppliment #2, I didn't bother to check the
original or Suppliment #1, but I suspect the same applies. Using the
.rhosts properly would seem to me to cut the risk down considerably and
be a better alternative in many ways then RCMD.EXE.

-seifried



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault