> -----Original Message----- > From: rfpat_private [mailto:rfpat_private] > the permissions on these registry keys are Everyone -> Special Access, > which includes Set Value. This basically means domain users > can remotely > disable handler and sandbox restrictions by changing the > values of these > keys. Hmmm. I've tested this, and it worked as expected. You did your testing as an administrator on the machine. Network permissions for the registry are governed by the permissions on HKLM\System\CCS\Control\ SecurePipeServers\winreg, and by the 'Machine' value in the AllowedPaths key below it. Default permissions for winreg key allow only admins to access the registry remotely. Exceptions to this are the AllowedPaths, which are governed by the permissions on the keys themselves. HKLM\Software is not on the allowed paths for either the workstation or the server, so this portion of what you describe will not work remotely against a default install of Windows NT unless administrator access has already been obtained. It is also generally a good practice to place router filters in front of your internet-exposed web servers such that they cannot make outbound connections to places where they shouldn't. People who took such precautions found that things such as the .htr overflow didn't work, and would prevent your UNC path variant from working. Turning off the Server and Workstation services, as well as unbinding NetBIOS from the external interface would also prevent an attack involving an external UNC path from working.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:50 PDT