RE: New worm? 'readme.eml'

From: Stefan Norberg (stefan@orbisec.com)
Date: 09/20/01 

From: "Stefan Norberg" <stefan@orbisec.com>
To: "Patrick S. Harper" <patrick@internetsecurityguru.com>, "'Guy Fighel'" <GuyF@xpert.com>, "'Duane Waddle'" <waddle1@us.ibm.com>, "'McCammon, Keith'" <Keith.McCammon@eadvancemed.com>
Subject: RE: New worm? 'readme.eml'
Date: Thu, 20 Sep 2001 20:59:01 +0200
Message-ID: <DLEPKNBGBAJJFJILKIOMGEJKCAAA.stefan@orbisec.com>

> Here is an easy way to do that. It is an excerpt from one of my
> hardening scripts. I rerun this after every patch and hot fix.
[snip]
> cacls c:\tools /e /p administrators:f > nul
> cacls c:\tools /e /p "creator owner":f > nul
> cacls c:\tools /e /p "backup operators":f > nul
> cacls c:\tools /e /p system:f > nul
> cacls c:\tools /e /r everyone > nul

This approach isn't good. Remember that IIS is helping attackers to run code
as SYSTEM now and then. SYSTEM is a member of "administrators". It would
make it harder for an attacker to execute these commands if you did what
Duane suggested:

Duane's words -
> Make a group, called 'bob' for instance, and put your local admin
> acct(s), and any one else who should have to have access to these (on a
> webserver, that should be a short list). This way the 'LocalSystem'
> account does not have access to these tools - if it even finds them in
> the 1st place.

This should be sufficient:

C:\> cacls c:\tools /t /p bob:r > nul

Stefan