I've always appreciated the fervor with which Mnemonix appears to approach the issues he works on...BUT... In an effort to confirm or refute Mnemonix's latest information, I did the following using current production releases; 1. Installed NT 4.0 Server (no domain) 2. Installed NT 4.0 SP4 128-bit (including IE 4.01) 3. Installed NT 4.0 Option Kit using the "Typical" installation option (thereby accepting all defaults) NT 4.0 is the original release version. NTOK is from the BackOffice April '98 release set. Observations; 1. IIS HTML Administration was installed, but it was configured to run on port 5661. 2. Through the HTML Administration tool included, I looked at the Administration Site's security configuration; a) Anonymous access is disabled by default. b) NTLM authentication is enabled by default (which means you'd have to successfully log on to access it) c) IP Address restrictions are enabled by default and only 127.0.0.1 is granted access. d) The only site "Operaters" defined is the NTLM Administrators group for the box. e) Logging is enabled. The same configuration was applied by default installation to the /IISADMIN virtual site under the Administration site. So while the directory permissions on the \%systemroot%\system32\inetsrv\iisadmpwd are lax, "Everyone: Change", this does not pose an immediate threat due to the web site configuration parameters that limit access to it. Its certainly possible that Mnemonix has seen a machine with the permissions/configuration he's described, but it is definitely not a current released version default or typical installation. Unfortunately he has not disclosed precisely what versions of what he was looking at. So while permission tightening is certainly recommended in any IIS installation, the threats described by Mnemonix do not exist in the versions that have been released and available for over a year from MS. The fact that SP4 was used in this installation means nothing wrt the way IIS was installed from the older NTOK (note that SP4 was installed prior to NTOK, and not re-applied after the NTOK installation, meaning it could not have affected the NTOK installation). I had a lengthy discussion with Mnemonix off-list about this particular message, and have had such discussions with him in the past about other "discoveries" he's made. His observations about what might be possible if access to the IISADMPWD directory *were possible* are of value to anyone trying to ensure the integrity and security of their IIS installation. However, his description of using this "vulnerability" to do user enumeration behind a Firewall or NAT box are, well, farcical. Given the pre-requisite vulnerabilities he states as fact don't exist (anonymous access to the Administration site, unrestricted IP access, and no NTLM authentication), the other extrapolated threats end up as simply "oh, really?". Certainly there is potential to take the Web Administration facility and modify its default configuration into an extremely insecure facility where the possibility of, very slowly, enumerating user accounts would be possible (assuming nobody looks at the logs, account lockout is not enabled, auditing is not enabled, and in general, the machine is left to the dogs). In my opinion all of this speculation, mistaken assumption, farcical hyperbole and arm waving takes away from the valid observations of the interaction between files and service which Mnemonix has told us. As the moderator of NTBugtraq I, at first, strongly refused to send Mnemonix's message through to NTBugtraq. I felt it was more FUD than valuable fact, and did more of a disservice than if he modified and reduced it to the raw, provable, facts. Unfortunately, despite numerous exchanges, Mnemonix insisted he'd rather have his original message sent. I'd appreciate your feedback on whether or not you feel you were served better by having his message sent to NTBugtraq (Bugtraq readers, feel free to tell me what you think of his message too!). Meanwhile, maybe Mnemonix can tell us what versions were used to produce the results he observed. If people are going to be warned, they should be warned about the right version (this assumes that he did the installation himself of course). Cheers, Russ - NTBugtraq moderator
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:40 PDT