mailing list archives
Re: NT configuration caution
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Wed, 22 Apr 1998 08:11:31 -0400
At 08:44 AM 4/21/98 -1000, Tim Newsham wrote:
The problem comes in with the FrontPage extensions on NT (or any FTPD that
requires users be entered into the NT user database). Each user who has a
FP enabled website gets an account in the NT user database and this account
gets the "logon locally" permission. What this in effect does is give
Can users also connect to the registry with these accounts?
Typically not - a normal server has admin:F only on the HKLM/System/
CurrentControlSet/Control/SecurePipeServers/Winreg key. This means that
only admins can access the registry remotely.
However, those same users would have more access to the registry via a
local command line. Most people aren't aware of how to do that from a CLI,
but tools do exist which can be used. If you're going to allow a user to
come in via a remote shell, you also ought to go look at the privileges
that everyone, interactive and users have to edit things in the registry.
The main key that is going to need attention is HKLM\Software, esp.
HKLM\Software\Classes. Note that some of the registry hacks I found which
affect the HKLM\Software\Microsoft\Windows key could lead to gaining higher
access. Look under advisories by date on http://www.microsoft.com/security
for some more details, or RTFM the help system of the ISS NT scanner (I'm
sure you must have a copy somewhere <g>). I would also remove access to
interactive for the HKLM\Software\Classes\AppID key and subkeys.
Changing the association of .reg files with regedit.exe is also smart.
I believe Frank Ramos' DumpACL (see www.somarsoft.com) is a good tool to go
find which users have access to what keys. I know it works well for the
David LeBlanc |Why would you want to have your desktop user,
dleblanc () mindspring com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
- Re: NT configuration caution, (continued)