ADSM-L

NT registry security

2000-07-21 16:20:02
Subject: NT registry security
From: Phillip Guan <pguan AT SANSIA DOT NET>
Date: Fri, 21 Jul 2000 13:20:02 -0700
Question:

on backing up Windows NT4, we've noticed TSM creates the adsm.sys directory
where it dumps the registry and user info/passwords so it can back it up.
This is all fine however is it just me or does this create a huge security
hole? By default on NT4, that directory is created with permissions that
give "everyone" "change" permissions. Thus *IF* i'm able to view the local
filesystem, i can then easily go into that directory and run very commonly
available password cracking programs to retrieve all the local users and
passwords.

Now, remotely i don't believe the average user can see that directory.
However if that same user has privs to login locally at the console they can
definetly view it. Also if the box happens to run IIS, there are tons of
exploits commonly available that allow a user to also view the local
filesystem. This is because the "internet guest account" thats created by
IIS has privs to log in locally.

Ok so theres a threat of someone internally trying this at a console.
There's also a threat that someone externally could use IIS exploits to do
the same thing. Once i have the local admin password (not the domain admin
passwrd), chances are good the local admin password is the same on other NT
boxes as well. I mean how many shops have a different local admin password
on ALL their boxes? Not many i suspect. Perhaps even their domain admin
password is the same as their local admin password. Even if i can't use that
password on other boxes, I can definetly install some sniffers and other
hacking tools to do even more damage. Install viruses.. destroy that box.
Obtain domain passwords.. whatever..

now if i could think of this, and i'm not a security expert, i would imagine
others have as well. I was able to locally log in with a non admin user
account and use a commonly available tool to get the local admin password.
From there i can think of lots that i can do with that. All because the
adsm.sys directory has change permissions for everyone.

so has anyone else brought this issue up? Is it common knowledge? Why
doesn't Tivoli do something about it? Or perhaps i'm missing something?  And
if i'm able to think of this, what other ways could someone compromise the
system using this info that i WASNT able to think of?

I would love to hear other's comments on this..  Does it concern anyone?

Gerald Wichmann
Sansia System Solutions
<Prev in Thread] Current Thread [Next in Thread>
  • NT registry security, Phillip Guan <=