Interactive logons and MS03-013

• Previous message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000 Warning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 16 Apr 2003 18:57:01 -0600
From: brett hill <brett@IISANSWERS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Regarding the bulletin
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp and in
particular the section on mitigating factors that states:
-------------
- A successful attack requires the ability to logon interactively to the
target machine, either directly at the console or through a terminal
session.
- Properly secured servers would be at little risk from this =
vulnerability.
Standard best practices recommend only allowing trusted administrators =
to log onto such systems interactively; without such privileges, an =
attacker could not exploit the vulnerability.
--------------

The statement "A successful attack requires the ability to logon
interactively to the target machine, either directly at the console or
through a terminal session." is potentially misleading. First of all, it is
not clear precisely what is meant by an "interactive" logon. If that refers
to a "local" logon (resulting in membership in the Interactive built in
group), then it would make more sense to say "requires the ability to
authenticate as a local logon" as there are other ways to authenticate to
the server with a local logon type besides those listed (through the console
and terminal services). The bulletin pretty clearly infers that those are
the only methods for achieving such a session.
 
If it is the case that a the only requirement is a "local" logon then users
who authenticate to an IIS servers with Basic authentication are also in the
category of users who could potentially use this exploit. This would also be
true of anonymous authentication when the "Allow IIS to control password"
box is cleared (IIS 5). The default configuration is for this checkbox to be
set, so normally anon users are not an issue for this problem. Of course, in
either case, the user would need the ability to write and execute programs.

-brett hill
 
 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000 Warning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: create support admin user ... configuring the "logon locally" user right in Domain Controller Security ... being an administrator but you can test that out to see if it suits your ... I would like to give a support user the ability ... (microsoft.public.win2000.security) logon box options ... User upgraded XP home to XP professional SP1. ... In the logon box the "Options" button isn't working. ... gives you the ability to choose if logging onto the ... (microsoft.public.windowsxp.customize) TIME OF DAY LOGIN RESTRICTIONS FOR WIN/XP NON DOMAIN NON ACTIVE DIR ... HOW DO YOU OR CAN YOU SET-UP ON WIN/XP PRO THE ABILITY OF ... HAVING MULTIPLE USERS ALLOWED TO LOGON TO SAME SYSTEM ... (microsoft.public.windowsxp.security_admin) XP password caching ... too logging on to MS ... The logon to the exchange server is extremelly difficult ... Anyone with the ability to logon to the mail server has ... (microsoft.public.windowsxp.security_admin) Local security policy HELP ... I accidentally changed a setting on Windows 2000 ... professional that disabled my ability to logon ... I changed the local security policy. ... It will allow me to dialup but that doesn't help to logon ... (microsoft.public.win2000.security)