> You did your testing as an administrator on the machine. Network No, I specifically did *NOT* do this, to avoid the same goofs that the guy who did the latest DCOM posts did. Not that it was his fault; I was just wary of where he went wrong, and tried to avoid that. I specifically yanked one machine out of the domain and made it into another workgroup instead. I created a local account on that box of user 'rfp', no special rights (normal user). I used this to query regedit from. I created the account from scratch to make sure it was clean. On the servers, on one I added domain account rfp, normal user. Different password than the first so I know I would be prompted for login/password when connecting. On another server which was only in the workgroup, I added a local user, same as above. Normal user rights, no administrative stuff. Again, freshly created accounts to make sure nothing silly was going on. Then I queried from 'remote', non-associated box to these servers. I enter the login/password of rfp. That's logging in as rfp on one box, authenticating as rfp to the second, no administrative mojo to been seen. I was able to view the registry, and change that key. Total 'cross mojonation'. But I see your point on being limited by 'AllowedPaths'. Has anyone else been able to recreate this? What you say makes sense, so I don't know why it would work on mine. My NT configurations are not custom nor fancy. > It is also generally a good practice to place router filters in front of > your internet-exposed web servers such that they cannot make outbound > connections to places where they shouldn't. People who took such > precautions found that things such as the .htr overflow didn't work, and > would prevent your UNC path variant from working. Turning off the Right. > Server and Workstation services, as well as unbinding NetBIOS from the > external interface would also prevent an attack involving an external > UNC path from working. I said it as an FYI of another approach to he exploit potential. If your box was locked down in the first place none of this would be an issue, no? :) After all, RDS stuff is slightly in the sample-scripts arena--everyone should know better. But they don't. Cheers, .r.f.p.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:58 PDT