From: SMTP%"everhart@mail09.mitre.org" 22-JAN-1998 17:19:14.55 To: everhart@gce.com (everhart@gce.com) CC: Subj: FWD: Re: [NTSEC] Re: Registry Security --===_tgate3_52394_96651037_=== Content-Type: text/plain; charset="us-ascii" ----- Forwarded message follows ----- Delivered-To: nt-out-link@iss.net Delivered-To: nt-out@iss.net Date: Thu, 22 Jan 98 11:34:46 -0500 From: The entropy Technician X-Sender: delchi@amanda To: "Cintron, Jose J." cc: "NT Security Mailing List \(E-mail\)" Subject: Re: [NTSEC] Re: Registry Security In-Reply-To: <01BD2719.3860DE20@jcintron.imsidc.com> Precedence: bulk Reply-To: The entropy Technician X-Loop: ntsecurity X-Comment: TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net X-Comment: DO NOT send subscribe/unsubscribe messages to ntsecurity@iss.net TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Good 'ol IPC$..... I've been playing with this for a bit and here's what I have .. Connecting to a machine as : net use \\targetname\ipc$ "" /user:"" provides access to the machine with a null id. ( call it what you will ) depending on the security of the target machine, I have been able to ... - Aquire user ID lists, group lists, account names - Modify User information ( user mgr for domains ) - Shut down the machine ( shutdown \\target /c "night!" ) - Dump info about / add users ( addusers -o gotcha \\target) Some of these are obvious as how to stop them, like not using the remote shutdown service, etc.. but this is a screaming excuse to block IPC at the router level if you don't want people accessing you via the net. To prove this, at a staff meeting I set up a demo machine about 4 states away ( friends office ) and made an IPC connection to his NT box and shut it down from my office. ( It was pre arranged, and agreed upon, none of you legal types need flog me ) Somewhere in my desk ( that pit of paper ) I have the registry hack that removes the anonymous capacity, but it disturbs some FTP , and HTTP inbound connections as I recall. This is obviously not an issue with all setups, so it's not a bad idea in most cases. Ill send that up when I find it. Comments welcome, Asbestos undies installed. ----------------------------------------------------------------------------- The I want to fall asleep in your arms ehT Entropy Before this nightmare is over yportnE Technician I want to understand this dream naicinhceT Before it fades away ..... - Rumors Of The Big Wave ----------------------------------------------------------------------------- ----- End of forwarded message ----- --===_tgate3_52394_96651037_===-- ================== RFC 822 Headers ================== Return-Path: everhart@mail09.mitre.org Received: by norlmn.gce.com (UCX X4.2-14, OpenVMS E7.1-1H1 Alpha); Thu, 22 Jan 1998 17:16:27 -0500 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mercury.mv.net (8.8.8/mem-971025) with ESMTP id PAA15265 for ; Thu, 22 Jan 1998 15:26:58 -0500 (EST) Received: from TGATE3 (tgate3.mitre.org [129.83.20.27]) by mbunix.mitre.org (8.8.8/8.8.8/mitre.0) with ESMTP id PAA10631 for ; Thu, 22 Jan 1998 15:30:38 -0500 (EST) Received: from mail09.mitre.org (unverified [129.83.20.43]) by tgate3.mitre.org (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 22 Jan 1998 15:30:37 -0500 Received: by mail09.mitre.org; (5.65v3.2/1.1.8.2/22Jun94-0628PM) id AA31240; Thu, 22 Jan 1998 15:30:33 -0500 Subject: FWD: Re: [NTSEC] Re: Registry Security From: everhart@mail09.mitre.org (Glenn C. Everhart) To: everhart@gce.com (everhart@gce.com) Message-Id: <980122152912.31233@mail09.mitre.org.0> Date: Thu, 22 Jan 98 15:30:30 -0500 X-Mailer: MailWorks 2.0-4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===_tgate3_52394_96651037_==="