NT allows any user to create local groups on the domain controller. This is meant to allow people to set access controls easily. If not abused, it is a Good Thing. Many of us have known about this for years. However, if you create a LOT of groups, you'll fill up the registry, make the SAM really huge, and crash the server. It will be a real PITA to clean up the mess, too. The guys over at Infoworld thoughtfully posted a BASIC script which allows any user (even users without a brain) to use this feature to down an NT domain controller. Note that all copies of NT come with a BASIC interpreter (oh, joy). There will be a fix RSN from Microsoft which will let us place configurable access controls on this - Russ Cooper posted an older version, but it has some bugs. In the meantime, I wrote a little app to help with this issue. It attaches to the security logs and watches for someone adding new groups. If it sees 10 groups out of the same user within an hour, it then disables the user's account and tosses them off the server. My app can be had from http://www.ntbugtraq.com/downloads/groupmonitor.asp Feature requests, complaints, etc, should be directed to dleblancat_private This is 0.9 version-level code, so I could have screwed something up. USE AT YOUR OWN RISK. Do not test this from your only known admin account, or you will lock yourself out of your server (I did... whups). It isn't intended to be full-featured, and was only what I could crank out in a couple of hours. I may decide to improve it, depending on how energetic I feel. BTW, Russ doesn't have much bandwidth - if anyone wants to mirror it, please do - let Russ and myself know, he'll update his page. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:37 PDT