OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bronek Kozicki (brokrubikon.pl)
Date: Thu Jul 26 2001 - 05:10:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > Administrator can install drivers? :)
    Yes, of course. Domain admin can fully manage all machines & accounts in
    domain (obviously).

    > I don't have an answer but I do have a question: why the customer's
    running
    > IIS under admin account, not just user account?

    IIS, that is inetinfo.exe process (hosting services IISAdmin, W3SVC,
    SMTPSVC, MSFTPSVC, and sometimes others), is using some APIs that are not
    available to user account. Sub-authentication (i.e. controlling anonymous
    user's password) is among them. That's what inetinfo.exe must run under
    privileged account. But: it does not need to be account privileged in entire
    domain! Default LocalSystem is enough. _IF_ for some reason inetinfo.exe
    needs to access network resources under its own account, you can run it
    under domain user, which _locally_ , only on this WWW server belongs to
    local Administrators group. Let me repeat: running IIS under domain admin is
    _very_ insecure. Leave it LocalSystem or use domain user account (and make
    this user _local_ admin on WWW server) , if for some reason it needs access
    to network. Otherwise successful attack to IIS will totally expose whole
    domain!

    Under normal circumstances process account is _not_ used to run ASP pages
    nor access WWW resources (except Application_OnStart and Application_OnEnd).
    Account used to access resources & run ASP applications is user - anonymous
    (i.e. IUSR_machine) or authenticated via HTTP. Rare situations when process
    account is used to access network resources can be justified only by bad
    (insecure) site design. Among them is: starting processes from within ASP
    pages, dropping impersonation inside ASP, improper use of
    Application_OnStart or Application_OnEnd. Even if (for some reason) your
    customer need to use some of these, he can use other process than
    inetinfo.exe - that's what "application isolation/protection" is for! If
    it's set to high, whole ASP application is run in separate process managed
    by COM+ (or MTS in WinNT4), and _this_ process does not need special
    priviledges except "logon as batch job" (by default it's IWAM_machine user,
    but can be changed to domain user).

    Regards

    B.

    >
    > Kindest,
    >
    > Svyatoslav Pidgorny
    >
    > > -----Original Message-----
    > > From: Nichola Veitch [mailto:veitchnhotmail.com]
    > > Sent: 25 July 2001 18:16
    > > To: ryaneEye.com; Pidgorny, Slav; keydet89yahoo.com;
    > > lynch00msn.com;
    > > focus-mssecurityfocus.com
    > > Subject: Re: Hacked NT/2K box
    > >
    > >
    > > A customer of mine is running IIS (not sure yet if 4 or 5).
    > > the IIS service
    > > account is using the domain admin account. can anyone tell me the
    > > implications of changing this account to one with less
    > > priviledges (should
    > > it be using the system account???)
    > >
    >