Secure Computing Firewall for NT
NTBugtraq Archives Russ Cooper's NTBugTraq Microsoft Windows NT Server with Microsoft Internet Information Server
Get Microsoft Internet Explorer

GROUPMONITOR.EXE by David LeBlanc

With the recent announcement of a program to generate numerous group creations, resulting in the potential to crash a server, David LeBlanc put together this tool to watch the event log for malicious uses of the right.

While CREATALS.EXE gives an Administrator the ability to grant or deny users/groups the right to create groups at all, many Administrators would prefer to continue to make the right available but just monitor for malicious use.

GroupMonitor.exe to the rescue...;-]

GroupMonitor basically sits on top of the security event log, and with User and Group Management Auditing enabled, keeps track of how many groups are being created by your users. Its sole intention is to catch someone in the process of attempting the exploit and terminate their session before its done any real damage. As such, it looks for 10 group creations by a particular user within a 1 hour period of time. If the limit is reached, bingo, the user's session is terminated.

In my testing I was unable to run it on a BDC against the BDC itself, but it seemed to work correctly on a Workstation and PDC, and worked remotely from a BDC to a PDC. We're not exactly sure why it didn't work on my BDC, so feedback to David would be appreciated.

From David LeBlanc's announcement;
"As always, this code has NOT been tested thoroughly. I may have screwed something up. Use AT YOUR OWN RISK. Do NOT test this using the only admin account where you know the password, or you too will be downloading the password changing floppy (it works... <sheepish grin>). It should get us through until MS fixes it correctly."

Direct feedback to dleblanc@mindspring.com or NTSecurity@listserv.ntbugtraq.com

Click HERE to download GROUPMONITOR.ZIP (13,351bytes)
(many thanks to Andy Murrell for hosting this link!)

Click HERE to look at the CREATALS.EXE description

Cheers,
Russ - NTBugtraq/NTSecurity moderator


This page has been viewed Hit Counter times sinceMonday, June 01, 1998

Secure Computing Firewall for NT

Sunbelt Software Stellar NT-Site

LSoft's Catalist Powered by Listserv Classic
Thinking about a donation to NTBugTraq?