Proxy 2.0 secure?

Stout, Bill StoutB@pios.com
Thu, 25 Jun 1998 14:34:03 -0400


> ----- Original Message -----  From Aleph One
> 
> On Thu, 18 Jun 1998, Stout, Bill wrote:
> 
> > Recently mnemonix discovered that various applications can be
renamed to
> > \winnt\system32\logon.scr (the logon screen saver) which run either
with
> > file owner privs or 'system' privs.  Applications such as
usermanager
> > can be used to add a user to local admin groups and then domain
admin
> > groups.  That's an example of so simple a thing that should've been
> > discovered long ago.  (Research on the behaviour still being
conducted).
> 
> And if you followed the discussion you know that he must have been an
> admin because no one could reproduce his results as a regular user.

That's why the caveat.  Being able to rename an exe as a passive file
and it running when you call it has long been a problem with NT, since
it's easy a trojan.  A simple user can edit the registry with default
priviledges of the Debug key location, and replace Dr. Watson with
Usermanager so on error usrmgr.exe runs with SYSTEM priviledge, or he
could just rename usrmgr.exe to drwatson.exe.  A simple user can then
add themself to local and domain administrator groups.  That was noticed
and verified by Dominique and Mnemonix, which started the whole registry
permissions thread.

This is mentioned to answer the opinion that 'bugs existed, but they
were all fixed'.  That's the same as saying 'once a service pack or
hotfix is issued, there will never be another'.  Another analogy, 'My
house was never broken into, therefore it's secure'.

> Actually, as far as I know PPTP will be in NT5.0. They will probably
try
> to deploy L2FP but they must keep backwards compatability.

L2TP will be added to 5.0, but you're right on both counts.  All
Microsoft products take great pains to be backwards compatibile which is
why we'll have even WFW Lanman security to deal with for a while.  If
you have product that continues to gather featues as it rolls into the
future (like a big ball of sticky tape), you'll end up with 27million
lines of inter-dependant (possibly unpredicable) code in the O.S. as a
base for your Firewall.  ;^)

'Embedded NT' may be a better NT option as a Firewall base O.S., though
I'm facinated by the Cabletron Yago box architechture (layer 3 switch);
router executables are hardcoded into ASICs, and reference route tables
(rules) in RAM updated by a control module.  Hmm, proxy ASICs...

Bill Stout