OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Information Security (InformationSecurityFEDERATEDINV.COM)
Date: Mon Aug 20 2001 - 09:09:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In the [Registry Keys], [File Security] and [Services] sections,
    security configuration templates use other "shortcut" naming conventions
    also.
    These are the ones I've found hard-coded in valid .inf templates, and the
    associated SID (I haven't tried to use them in the [Privilege Rights]
    section):

    id = AU|CG|CO|WD|IU|NU|SU|SY|S-...
      AU=authenticated users (S-1-5-11)
      CG=creator group (S-1-3-1)
      CO=creator owner (S-1-3-0)
      ED=enterprise domain controllers (S-1-5-9)
      IU=interactive (S-1-5-4)
      NU=network (S-1-5-2)
      PS=self (S-1-5-10)
      SU=service (S-1-5-6)
      SY=system (S-1-5-18)
      WD=everyone (S-1-1-0)
      S-... = the actual sid
      ?BA=Local Administrators

    The ID field is used in a few different places with security
    settings, such as the owner of an entry, or the specific group to which a
    policy
    setting should apply.

    These apply to SCE templates only, I haven't yet related them to the
    group policy objects themselves. There may be others. I also found
    it interesting that the following "standard" SIDs can be back-door'd
    into the .inf, but don't have a shortcut:

      Null SID S-1-0-0
      Local SID S-1-2-0
      Dialup S-1-5-1
      Batch S-1-5-3
      AnonymousLogon S-1-5-7
      Terminal Server S-1-5-13

    I'm working on a document that fully reverse-engineers security templates to
    produce a simple readable delimited interpretation, it's impossible to dig
    through
    the GUI to find all the settings. The goal is to use Perl & the templates
    to audit
    our environment. If anyone's interested in some more of the findings or
    would
    like to help, drop me a line.

    Thanks!

    -----Original Message-----
    From: Tony Chow [mailto:tchowBLUETENTACLE.COM]
    Sent: Friday, August 17, 2001 1:55 PM
    To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
    Subject: Re: Windows 2000 SP2 local policy settings not stored using
    SIDs?

    Hello everyone, if I may chime in.

    In my experience a security template in Windows 2000 always stores an
    account/group by its SID given the account/group can be found on the
    system/domain on which the template is created.
    ...

    ============================================================================
    Delivery co-sponsored by Trend Micro, Inc.
    ============================================================================
    TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

    If you are worried about email viruses, you need Trend Micro ScanMail for
    Exchange. ScanMail is the first antivirus solution that seamlessly
    integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
    ensures 100% inbound and outbound email virus scanning and provides remote
    software management. Download a FREE 30-day trial copy of ScanMail and find
    out why it is the best:
    http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
    ============================================================================