Re[2]: Messenger service abuse (from inside the network)

From: Alexander Lukyanenko (sashman_at_ua.fm)
Date: 12/05/03

Next message: Alexander Lukyanenko: "Re[4]: Messenger service abuse (from inside the network)"

Previous message: Keith Anderson: "RE: PIX help-- DMZ to DMZ using outside addresses"
In reply to: Camp, Mr Tony J.: "RE: Messenger service abuse (from inside the network)"
Next in thread: Shawn Jackson: "RE: Re[2]: Messenger service abuse (from inside the network)"
Maybe reply: Shawn Jackson: "RE: Re[2]: Messenger service abuse (from inside the network)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 5 Dec 2003 21:39:47 +0200
To: "Camp, Mr Tony J." <camptj@centcom.mil>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Mr. Tony J. Camp
The box IS secured, no CD-ROM drives are present, floppy drives are
disabled from the BIOS (which is password-protected), the HDD is the
only device mentioned in the bootup sequence. The physical
modification is not possible (the users dare not to do anything to the
hardware).
The /boot partition (errm, no /boot on Windows, I mean the C: drive
where the ntldr lives) is NTFS and is correctly ACL'ed.

Friday, December 5, 2003, 3:23:02 PM, you wrote:

CMTJ> For this to be effective, the box will need to be physically secured as
CMTJ> well. Disable CD booting in the BIOS, password protect the BIOS, and put a
CMTJ> padlock on the case (to prevent BIOS reset by jumper). Otherwise they could
CMTJ> just boot to a certain cd, blank the local admin password, and reset the ACL
CMTJ> on the net command.

CMTJ> -----Original Message-----
CMTJ> From: Shawn Jackson [mailto:sjackson@horizonusa.com]
CMTJ> Sent: Wednesday, December 03, 2003 7:48 PM
CMTJ> To: Alexander Lukyanenko; security-basics@securityfocus.com
CMTJ> Subject: RE: Messenger service abuse (from inside the network)

CMTJ> One account for all those students...*wimper*. You just angered the
CMTJ> Audit gods! I assume they are using the net command for it:

CMTJ> net SEND /DOMAIN:YOURDOMAIN I-Hax0r-U

CMTJ> Just ACL the net command to SYSTEM, DOMAIN ADMINS, etc. Make sure
CMTJ> you got everything locked down on the system (gpedit.msc). Also make sure
CMTJ> they aren't installing any software for messenger spamming.

CMTJ> Shawn Jackson
CMTJ> Systems Administrator
CMTJ> Horizon USA
CMTJ> 1190 Trademark Dr #107
CMTJ> Reno NV 89521
CMTJ> www.horizonusa.com

CMTJ> Email: sjackson@horizonusa.com
CMTJ> Phone: (775) 858-2338
CMTJ> (800) 325-1199 x338

CMTJ> -----Original Message-----
CMTJ> From: Alexander Lukyanenko [mailto:sashman@ua.fm]
CMTJ> Sent: Wednesday, December 03, 2003 11:58 AM
CMTJ> To: security-basics@securityfocus.com
CMTJ> Subject: Messenger service abuse (from inside the network)

CMTJ> -----BEGIN PGP SIGNED MESSAGE-----
CMTJ> Hash: SHA1

CMTJ> Hello list.
CMTJ> I administer a high school network running W2K Pro in an Active Directory
CMTJ> domain.

CMTJ> The problem is that the users abuse the Messenger service by sending some
CMTJ> mischief over the network (furthermore, they even write batch files that
CMTJ> repeatedly flood the domain with same text). Is there a way to prevent this,
CMTJ> except by changing net.exe's ACL on all machines (or beating the offenders
CMTJ> after classes :)? Stopping Messenger service on the workstations is not a
CMTJ> solution, as it is used for sending various administrative messages. All
CMTJ> students share a common AD account (it would be cumbersome to maintain 300+
CMTJ> user accounts, as most of them use the PCs for short periods only).

CMTJ> Best regards
CMTJ> * * * * * * * * * * * * * * *
CMTJ> * Alexander V. Lukyanenko *
CMTJ> * ma1lt0: sashman ua fm *
CMTJ> * ICQ# : 86195208 *
CMTJ> * Phone : +380 44 458 07 23 *
CMTJ> * OpenPGP key ID: 75EC057C *
CMTJ> * NIC : SASH4-UANIC *
CMTJ> * * * * * * * * * * * * * * *
CMTJ> -----BEGIN PGP SIGNATURE-----
CMTJ> Version: GnuPG v1.2.3 (MingW32)

CMTJ> iD8DBQE/zkBXlz+8e3XsBXwRAi/VAKCTyRlRA4iAQY6Opbk0w1jYypvYNACdFaUR
CMTJ> kUWN82Zu6d+xu0bMpfQ2GlM=
CMTJ> =cpq+
CMTJ> -----END PGP SIGNATURE-----

CMTJ> ------------------------------------------------------------------------
CMTJ> ---
CMTJ> ------------------------------------------------------------------------
CMTJ> ----

CMTJ> ---------------------------------------------------------------------------
CMTJ> ----------------------------------------------------------------------------

CMTJ> ---------------------------------------------------------------------------
CMTJ> ----------------------------------------------------------------------------

* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko *
* ma1lt0: sashman ua fm *
* ICQ# : 86195208 *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C *
* NIC : SASH4-UANIC *
* * * * * * * * * * * * * * *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQE/0N8Jlz+8e3XsBXwRAk0DAJ4+EhxfVFz7MgTkmCm1gKiZanAflgCcDvr/
txJbAjFc7YeZtS9AN5FOfgM=
=nn1R
-----END PGP SIGNATURE-----

Next message: Alexander Lukyanenko: "Re[4]: Messenger service abuse (from inside the network)"

Previous message: Keith Anderson: "RE: PIX help-- DMZ to DMZ using outside addresses"
In reply to: Camp, Mr Tony J.: "RE: Messenger service abuse (from inside the network)"
Next in thread: Shawn Jackson: "RE: Re[2]: Messenger service abuse (from inside the network)"
Maybe reply: Shawn Jackson: "RE: Re[2]: Messenger service abuse (from inside the network)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]