Re: Hacked NT/2K box

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/26/01


Message-ID: <007f01c115bb$25b71e30$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Pidgorny, Slav" <pidgorns@anz.com>, "'Nichola Veitch'" <veitchn@hotmail.com>, <ryan@eEye.com>, <keydet89@yahoo.com>, <lynch00@msn.com>, <focus-ms@securityfocus.com>
Subject: Re: Hacked NT/2K box
Date: Thu, 26 Jul 2001 12:10:01 +0200


> Administrator can install drivers? :)
Yes, of course. Domain admin can fully manage all machines & accounts in
domain (obviously).

> I don't have an answer but I do have a question: why the customer's
running
> IIS under admin account, not just user account?

IIS, that is inetinfo.exe process (hosting services IISAdmin, W3SVC,
SMTPSVC, MSFTPSVC, and sometimes others), is using some APIs that are not
available to user account. Sub-authentication (i.e. controlling anonymous
user's password) is among them. That's what inetinfo.exe must run under
privileged account. But: it does not need to be account privileged in entire
domain! Default LocalSystem is enough. _IF_ for some reason inetinfo.exe
needs to access network resources under its own account, you can run it
under domain user, which _locally_ , only on this WWW server belongs to
local Administrators group. Let me repeat: running IIS under domain admin is
_very_ insecure. Leave it LocalSystem or use domain user account (and make
this user _local_ admin on WWW server) , if for some reason it needs access
to network. Otherwise successful attack to IIS will totally expose whole
domain!

Under normal circumstances process account is _not_ used to run ASP pages
nor access WWW resources (except Application_OnStart and Application_OnEnd).
Account used to access resources & run ASP applications is user - anonymous
(i.e. IUSR_machine) or authenticated via HTTP. Rare situations when process
account is used to access network resources can be justified only by bad
(insecure) site design. Among them is: starting processes from within ASP
pages, dropping impersonation inside ASP, improper use of
Application_OnStart or Application_OnEnd. Even if (for some reason) your
customer need to use some of these, he can use other process than
inetinfo.exe - that's what "application isolation/protection" is for! If
it's set to high, whole ASP application is run in separate process managed
by COM+ (or MTS in WinNT4), and _this_ process does not need special
priviledges except "logon as batch job" (by default it's IWAM_machine user,
but can be changed to domain user).

Regards

B.

>
> Kindest,
>
> Svyatoslav Pidgorny
>
> > -----Original Message-----
> > From: Nichola Veitch [mailto:veitchn@hotmail.com]
> > Sent: 25 July 2001 18:16
> > To: ryan@eEye.com; Pidgorny, Slav; keydet89@yahoo.com;
> > lynch00@msn.com;
> > focus-ms@securityfocus.com
> > Subject: Re: Hacked NT/2K box
> >
> >
> > A customer of mine is running IIS (not sure yet if 4 or 5).
> > the IIS service
> > account is using the domain admin account. can anyone tell me the
> > implications of changing this account to one with less
> > priviledges (should
> > it be using the system account???)
> >
>



Relevant Pages

  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need to filter domain admin from GPO
    ... But think always about the part that a deny is the highest blocking you set and if you forget that you have set a deny or you are not in and someone else have to search for errors, it will be really heavy to find it. ... It's best practice to use a 2nd administrator account as your ... Block inheritance (I would have to move the domain admin from ... particular GPO using ACL deny. ...
    (microsoft.public.windows.group_policy)
  • Re: Administrator--Client installation account problem
    ... I stated the account was only required to be a ... Of course if it is a domain admin that works also. ... Jeff said to use a Regular domain user, ... You do not have to be in advanced security to push the client. ...
    (microsoft.public.sms.admin)
  • Re: Need to filter domain admin from GPO
    ... Normally Block inheritance works fine. ... What GPO setting do you like to filter? ... It's best practice to use a 2nd administrator account as your regular ... Block inheritance (I would have to move the domain admin from ...
    (microsoft.public.windows.group_policy)
  • Re: SQL account rights
    ... Please advice what is the best, suitable rights rather than domain admin ... Warren Brunk - MCITP - SQL 2005, ... Add it as a login to the SQL Server ... files, or backups, make sure that the service account has Full ...
    (microsoft.public.sqlserver.security)