At 08:44 AM 4/21/98 -1000, Tim Newsham wrote: >> The problem comes in with the FrontPage extensions on NT (or any FTPD that >> requires users be entered into the NT user database). Each user who has a >> FP enabled website gets an account in the NT user database and this account >> gets the "logon locally" permission. What this in effect does is give >Can users also connect to the registry with these accounts? Typically not - a normal server has admin:F only on the HKLM/System/ CurrentControlSet/Control/SecurePipeServers/Winreg key. This means that only admins can access the registry remotely. However, those same users would have more access to the registry via a local command line. Most people aren't aware of how to do that from a CLI, but tools do exist which can be used. If you're going to allow a user to come in via a remote shell, you also ought to go look at the privileges that everyone, interactive and users have to edit things in the registry. The main key that is going to need attention is HKLM\Software, esp. HKLM\Software\Classes. Note that some of the registry hacks I found which affect the HKLM\Software\Microsoft\Windows key could lead to gaining higher access. Look under advisories by date on http://www.microsoft.com/security for some more details, or RTFM the help system of the ISS NT scanner (I'm sure you must have a copy somewhere <g>). I would also remove access to interactive for the HKLM\Software\Classes\AppID key and subkeys. Changing the association of .reg files with regedit.exe is also smart. I believe Frank Ramos' DumpACL (see www.somarsoft.com) is a good tool to go find which users have access to what keys. I know it works well for the file system. David LeBlanc |Why would you want to have your desktop user, dleblancat_private |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:37 PDT