OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: wllmundrwdNETSCAPE.NET
Date: Thu Mar 29 2001 - 14:07:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello List,
      My apologies for the length of this, but it all ties together....

      I have a secured environment of shared multi-user NT4 workstations on an NT4 domain. I built three more workstations by ghosting an old one to a new hard-drive, installing drivers for the new hardware, and ghosting this installation to the other two new machines. All works well, no problems with this portion. However...

      Network security shop (Of which I am not part of, even though the domain and all hardware are mine to administrate) wants me to install and run ISS Scanner. No problem there, either, since they send a guy over to ensure procedures are followed. We get it all installed, load up their custom policy checks, and start the scan.

      Scan completes, and kicks out a report. The vast majority of the report (22 pages of Word 2.0, with the headers and footers deleted) consists of vulnerabilities concerning Everyone:WriteAccess to reg keys. There's one slight problem with the content... It's WRONG.

    Top Level Reg Keys with Perms
      HKEY_LOCAL_MACHINE:
          Administrators:FullAccess/Inherit
          DomainAdmins:FullAccess/Inherit
          System:FullAccess/Inherit
          Everyone:Read/NoInherit
        Hardware:
            Administrators:FullAccess/Inherit
            DomainAdmins:FullAccess/Inherit
            System:FullAccess/Inherit
            AuthenticatedUsers:Read/NoInherit
        SAM:
            Administrators:Read/NoInherit
            DomainAdmins:Read/NoInherit
            System:FullAccess/Inherit
            AuthenticatedUsers:Read/NoInherit
        Security:
            Administrators:Special/NoInherit
            DomainAdmins:Special/NoInherit
            System:FullAccess/Inherit
        Software:
            Administrators:FullAccess/Inherit
            DomainAdmins:FullAccess/Inherit
            System:FullAccess/Inherit
            AuthenticatedUsers:Read/Inherit
        System:
            Administrators:FullAccess/Inherit
            DomainAdmins:FullAccess/Inherit
            System:FullAccess/Inherit
            AuthenticatedUsers:Read/Inherit
      (I'm not showing lower levels here, as they are all pretty much the same, except in those area's of the registry where each user is expected to be able to create/modify an entry for a certain piece of software, usually somewhere below the Software key.)

      As you can see, the Everyone group has READ access to the root of the registry. Everyone is removed from all other portions of the registry, filesystem, and shares. Ok, so on the the point and my questions:

       1) For every key/value that is considered sensitive (LSA, AppID, etc.), ISS kicks back a vuln warning about Everyone:Write privileges. Why?

       2) I have Everyone:Read in HKEY_LOCAL_MACHINE because I sort of recall reading that it's necessary or authentication can't happen (I do not have documentation on this). Is this true, or can I change Everyone to AuthenticatedUsers?

      Here are my answers, correct/enhance as you see fit:
       1) ISS is looking for the Everyone group in each key/value, then looking to see what privileges the Everyone group has. I believe that if the Everyone group were there with NoAccess as the privilege, it would pass. But for some reason, since it can't find Everyone at all, it fails the check.

       2) I think this is not true, because as I understand it, logging in is a System process. Once authenticated by System, the user context is created, and all new processes for that user are started with the user context (I'm not getting into the windowing system here, just the basics of authentication.). So, the user doesn't need access to the registry until after authentication, right?

      I did a quick test by mapping the IPC$ from another machine with a null session (net use \\machine\IPC$ `' /password:`') and opened the remote registry in regedt32. I was able to connect (because null sessions are part of Everyone, via the Guests group, right?) and view the top of the registry, but all top level keys were greyed out. I viewed the Security settings of HKEY_LOCAL_MACHINE, and attempted to change them, but was unable to save changes. So, Everyone does indeed have top level read access, but I was unable to go any deeper into the registry.

      So, now I have one more question: How many of you make it a habit to remove Everyone from everything you can, and replace it with AuthenticatedUsers (or more restrictive, as applicable)?

      Oh, and before any one gets off subject about it, yes, I do know that DomainAdmins are part of the Administrators group. I have the Administrators group and System locked out of parts of the network and software portions of the registry, (so that if some one does manage to get local admin/system privs (ala LPC spoofing, etc.) they still won't be able to change network settings or load un-approved/shareware software.) so I have to include DomainAdmins seperately.

    All feedback, private or list, is appreciated. But lets not start another discussion about canned scanners, which I don't rely on either, okay?

    Regards,
    William 

    --
William Underwood
SysAdmin, MCSE
wllmundrwdnetscape.net
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/