With the recent announcement of a program to generate numerous group creations, resulting in the potential to crash a server, David LeBlanc put together this tool to watch the event log for malicious uses of the right.
While CREATALS.EXE gives an Administrator the ability to grant or deny users/groups the right to create groups at all, many Administrators would prefer to continue to make the right available but just monitor for malicious use.
GroupMonitor.exe to the rescue...;-]
GroupMonitor basically sits on top of the security event log, and with User and Group Management Auditing enabled, keeps track of how many groups are being created by your users. Its sole intention is to catch someone in the process of attempting the exploit and terminate their session before its done any real damage. As such, it looks for 10 group creations by a particular user within a 1 hour period of time. If the limit is reached, bingo, the user's session is terminated.
In my testing I was unable to run it on a BDC against the BDC itself, but it seemed to work correctly on a Workstation and PDC, and worked remotely from a BDC to a PDC. We're not exactly sure why it didn't work on my BDC, so feedback to David would be appreciated.
From David LeBlanc's announcement;
"As always, this code has NOT been tested thoroughly. I may have
screwed something up. Use AT YOUR OWN RISK. Do NOT test this using the only admin account
where you know the password, or you too will be downloading the password changing floppy
(it works... <sheepish grin>). It should get us through until MS fixes it
correctly."
Direct feedback to dleblanc@mindspring.com or NTSecurity@listserv.ntbugtraq.com
Click HERE to
download GROUPMONITOR.ZIP (13,351bytes)
(many thanks to Andy Murrell for hosting this
link!)
Click HERE to look at the CREATALS.EXE description
Cheers,This page has been viewed times sinceMonday, June 01, 1998
|
||