Everhart,Glenn From: George [georger@NLS.NET] Sent: Monday, April 20, 1998 7:35 PM To: BUGTRAQ@NETSPACE.ORG Subject: NT configuration caution Hi Folks, I don't know exactly how common this is, and it certainly isn't a bug, but I've seen it enough that I think this post is justified. Configuration: NT4, IIS, Frontpage Extensions, Resource Kit. For a while now NT admins have had it easy because unlike UNIX, NT does not allow folks to get remote command line access for most of the types of connections it supports. It seems a lot of system administrators like to install the reskit and along with it use the rcmdsvc for remote control of their servers. rcmd allows one to get a remote command line much like telnet does with Unix. The problem comes in with the FrontPage extensions on NT (or any FTPD that requires users be entered into the NT user database). Each user who has a FP enabled website gets an account in the NT user database and this account gets the "logon locally" permission. What this in effect does is give everyone with a FP enabled website, access to the machine via rcmd as well as FP. Worse yet when they connect it dumps them right into the \winnt\system32 directory. From there they can TYPE files or EDLIN or any of the numerous tricks that the Unix admins have had to deal with for years. Depending on the configuration of the machine, many times it also gives them exec permissions for lots of programs and combined with the FP capability to download any program they want to the machine could make for a very dangerous combination. (how hard would it be to list the frontpage.ini file for example, a quick DIR FRONTP*.* /s and then a simple TYPE \path\FRONTPAGE.INI | more) The solution to this configuration error is to stop the rcmd service on the server and when you need access use the netsvc command to start it. Since only the admin has the permissions to stop and start services I think this should pretty much cure the problem. However I'd really like to hear from anyone who has ideas on this one. Geo.