Re: 2003 Web Server Security flaw

From: Robert Moir (bofh_at_mvps.org)
Date: 12/28/03 

Date: Sun, 28 Dec 2003 19:12:58 -0000

Robert Waite wrote:
> Thanks, but I never asked that Microsoft please me.
>
> Many other Windows components and services
> can be uninstalled or disabled. Please see my reply to "Nobody" post.
> You guys are assuming the exe is the only problem and no hacker has
> ever been able to get past group policies.

I'm not assuming any such thing. If a user can run executables on your
system then you've lost. OE, Netmeeting and Media Player would be somewhere
towards the bottom of my list of things I'd hate them to run, however. I'd
be far more worried about things like the command intepreter or them gaining
control of the shell or control of services.

You can use GPOs to stop people running things from the desktop - which I
originally assumed was your problem as you were not clear in your post about
what exactly the details of the "flaw" you had discovered was.

You can also use them as a template for setting permissions to deny
read/write to *everyone*, including admins, which would certainly "cripple"
them to all intents and purposes, so as it happens I believe I answered your
question anyway.

You can of course argue that someone could compromise your system enough to
reset the permissions on those things, and you might even be right, but if
they compromise your system to that extent then those files are the least of
your problems.

Its kinda like worrying that someone might steal the candies from the candy
jar in your kitchen if they break into your house full of priceless
paintings, irreplacable family heirlooms, and $2,000,000 in cash in bundles
under your bed. Yes they might steal the candies, and yes theft is wrong,
but I'd be more worried about losing the other stuff than I would the candy.

> Norberg and others who
> know far more than myself would disagree with you.

Whoopee. He wrote a book. Having been asked to write them myself in the
past, I'm not _that_ impressed.

And by the way, disagree with me on what statement? I said that code is
never a problem if its never ran. I'm willing to stand by that statement.

> I am not asking for a debate on WHY I asked the question... just if
> somebody happens to know HOW.

Sure. Delete them from the system file protection cache folder as well -
C:\WINDOWS\system32\dllcache is the default location for this and its a
protected operating system folder as well so you'll want to enable viewing
of these in explorer folder options.

As for the debate, you get what you pay for. Part of the price of admission
for free help services like this is that the people you speak to are in no
way obligated to stick to your schedule for when and how they answer
questions.

> My question clearly applied to a PRODUCTION Web Server. All experts
> agree that testing should be done
> off that server... from other servers and there is no sound reason to
> have Media Player installed on that server.

I'd personally agree with this point. All testing _should_ be done off that
server. Servers should not have any workstation tools on them. And we
certainly should have more control over what components are installed on our
servers.

But as a practical matter, many people find they have practical difficulties
doing that, no matter how much me, you, norberg or the guy who delivers the
mail all disagree with them. As I said, life is full of compromises. I've
said before that Windows 2003 is a step in the right direction but doesn't
go far enough with its movement away from having workstation "bloat" on it. 

-- 
-- 
Rob Moir
Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Relevant Pages

  • RE: New DC 2003 R2 with SBS2003 replication problem. Need Help !
    ... SBS domain and you get some KCC errors on SBS. ... Step-by-Step Guide to Adding and Managing Additional Servers in a Windows ... Microsoft CSS Online Newsgroup Support ... newsgroups so that they can be resolved in an efficient and timely manner. ...
    (microsoft.public.windows.server.sbs)
  • Re: Multiple copies of the Language Bar
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Hi, thanks for the response. ... Both the Windows 2003 Standard servers and the SBS2003 are all at ...
    (microsoft.public.windows.server.sbs)
  • Re: 4.4.7 NDRs on sent email - messages remain in STMP queue until expiry
    ... the free email servers seems very hit and miss. ... This issue occurs may because the Symantec Antivirus Corporate Edition ... Microsoft Exchange Server servers or on Microsoft Windows SMTP servers. ... Please collect the MPS Report for Exchange: ...
    (microsoft.public.windows.server.sbs)
  • RE: Boot device error 0x0000007B+0xf789e63c
    ... says that main problem with booting servers from SANs is ... > Blue Screen Preparation Before Contacting Microsoft ... > Windows NT ... > the Selective Startup button. ...
    (microsoft.public.windows.server.migration)
  • Re: Security and the User experience
    ... User installs an application that needs to communicate to SQL servers and/or FTP servers and/or web services. ... whenever the user installs any applications they are either presented with a message saying "block/unblock" message and sometimes even messages suggesting the application could be a virus. ... Microsoft do seem to be aware of this user experience problem after my initial look at Beta 2 of Vista and how it grays out everything except the program needing communication. ... I would venture to say though that even the *nix OS' distributors and probably even Apple will still say that it's the users job to make sure their computer is secure. ...
    (microsoft.public.security)