-----Original Message----- From: Mnemonix [mailto:mnemonixat_private] Sent: Wednesday, April 28, 1999 12:37 PM To: BUGTRAQat_private Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and the Registry Problem : NT users can cause other users of the system to load a "trojaned" profile that could lead to a system compromise. This issue has been here for as long as NT 4 has, but I'm not sure if anybody has picked this particular issue up. Details: When a user logs onto an NT Workstation or Server a new subkey is written to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList registry key. The name of this new key is that of the user's Security Identifier or SID. One of the values of this key is the ProfileImagePath which points to the location of the user's profile directory. This can reference a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg \\PDC\profiles\acc_name). This is indeed an issue. It is documented in the "Securing Windows NT" whitepaper, http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as p <http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.a sp> and anyone who has implemented those recommendations will be safe against this vulnerability. (NB: The registry key is misspelled "Profile List" in the document.) Also, the SCE templates in SP4/SP5 included one designed to help automate the recommendatiaons in the whitepaper -- securws4.inf, IIRC. However, we just examined it and it allows "Power Users" (abbreviated "PU") to write the key. It'll be fixed in SP6. In the meantime, one can hand edit the entry for ProfileList in the template. Find the line that looks like this: "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;AU)(A;CI;GA;;;DA)(A;CI;GA;;; SY)(A;CI;GA;;;CO)(A;CI;GRGW;;;PU)" and get rid of the "(A;CI;GRGW;;;PU)" at the end. Paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:23 PDT