RE: Access a remote registry

From: H C (keydet89at_private)
Date: Fri May 18 2001 - 15:08:13 PDT

Next message: dlaumannat_private: "RE: word lists"

Previous message: Steve Skoronski: "RE: Access a remote registry"
In reply to: Steve Skoronski: "RE: Access a remote registry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 	I am going to assume this is in a professional
> testing environment
> (audit, assessment, etc...). H Carvey raises a very
> valid point, if a tool
> finds a problem, is it *really* a problem? According
> to who? Microsoft may
> claim it's a 'feature', and the tool vendor may
> demonstrate how it
> compromises security. 

Reading the responses on this thread, I am seeing two
parallel areas...

1.  Is the vulnerability discovered by a commercial
tool _really_ a vulnerability?  Yes, the commercial
product may correctly identify the condition, however,
in the overall view, is it really an issue.  Or,
perhaps more appropriately, is the severity of the
vulnerability appropriate, given the infrastructure?

2.  Was the condition correctly tested?  Was the test
conducted, and the result correctly interpreted?  For
example, let's look at the issue of the AutoAdminLogon
Registry value.  Microsoft says that if this value is
set to 1 (on NT 4.0), then whichever password appears
(in plain text) in the DefaultPassword value is used
to automatically log that username in when the system
starts.  If the value is 0, the system will not
automatically login any account via this
functionality.  However, ISS 5.8 and 6.0 would report
a serious vulnerability if the presence of the value
was detected, regardless of the data (1 or 0). 
Without verification via some other means, this could
lead to a potentially embarassing situation for the
consultant.

With commercial tools, the issue seems to be which one
detects more vulnerabilities.  Of course, the
discussion then digresses to what defines a
'vulnerability'.

Rather than taking a step forward, I would suggest
taking a step back.  Using automated tools to collect
configuration information, which is then interpreted
by a knowledgeable security professional or sysadmin
is really the only way to conduct a thorough
vulnerability assessment.  Particularly on NT/2K, this
requires that admins 'get under the hood' a little
bit...but then, it becomes an issue of 'cost'.  Do you
want to pay the 'cost' of thousands of dollars for
tools and consultants, or do you want to pay the
'cost' of picking up some books, getting some
information, and learning something new?

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Next message: dlaumannat_private: "RE: word lists"
Previous message: Steve Skoronski: "RE: Access a remote registry"
In reply to: Steve Skoronski: "RE: Access a remote registry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 19 2001 - 10:42:52 PDT