Re: Hacked NT/2K box

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/26/01


Message-ID: <007f01c115bb$25b71e30$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Pidgorny, Slav" <pidgorns@anz.com>, "'Nichola Veitch'" <veitchn@hotmail.com>, <ryan@eEye.com>, <keydet89@yahoo.com>, <lynch00@msn.com>, <focus-ms@securityfocus.com>
Subject: Re: Hacked NT/2K box
Date: Thu, 26 Jul 2001 12:10:01 +0200


> Administrator can install drivers? :)
Yes, of course. Domain admin can fully manage all machines & accounts in
domain (obviously).

> I don't have an answer but I do have a question: why the customer's
running
> IIS under admin account, not just user account?

IIS, that is inetinfo.exe process (hosting services IISAdmin, W3SVC,
SMTPSVC, MSFTPSVC, and sometimes others), is using some APIs that are not
available to user account. Sub-authentication (i.e. controlling anonymous
user's password) is among them. That's what inetinfo.exe must run under
privileged account. But: it does not need to be account privileged in entire
domain! Default LocalSystem is enough. _IF_ for some reason inetinfo.exe
needs to access network resources under its own account, you can run it
under domain user, which _locally_ , only on this WWW server belongs to
local Administrators group. Let me repeat: running IIS under domain admin is
_very_ insecure. Leave it LocalSystem or use domain user account (and make
this user _local_ admin on WWW server) , if for some reason it needs access
to network. Otherwise successful attack to IIS will totally expose whole
domain!

Under normal circumstances process account is _not_ used to run ASP pages
nor access WWW resources (except Application_OnStart and Application_OnEnd).
Account used to access resources & run ASP applications is user - anonymous
(i.e. IUSR_machine) or authenticated via HTTP. Rare situations when process
account is used to access network resources can be justified only by bad
(insecure) site design. Among them is: starting processes from within ASP
pages, dropping impersonation inside ASP, improper use of
Application_OnStart or Application_OnEnd. Even if (for some reason) your
customer need to use some of these, he can use other process than
inetinfo.exe - that's what "application isolation/protection" is for! If
it's set to high, whole ASP application is run in separate process managed
by COM+ (or MTS in WinNT4), and _this_ process does not need special
priviledges except "logon as batch job" (by default it's IWAM_machine user,
but can be changed to domain user).

Regards

B.

>
> Kindest,
>
> Svyatoslav Pidgorny
>
> > -----Original Message-----
> > From: Nichola Veitch [mailto:veitchn@hotmail.com]
> > Sent: 25 July 2001 18:16
> > To: ryan@eEye.com; Pidgorny, Slav; keydet89@yahoo.com;
> > lynch00@msn.com;
> > focus-ms@securityfocus.com
> > Subject: Re: Hacked NT/2K box
> >
> >
> > A customer of mine is running IIS (not sure yet if 4 or 5).
> > the IIS service
> > account is using the domain admin account. can anyone tell me the
> > implications of changing this account to one with less
> > priviledges (should
> > it be using the system account???)
> >
>