COMMAND

    IBM GINA

SYSTEMS AFFECTED

    Those using IBM GINA

PROBLEM

    Frank Pikelner  found following.   Not sure  how many  people  are
    using the IBM GINA for authenticating NT workstation users against
    and OS/2 domain.  Recently while going through some of the  README
    files included with the GINA he found a most interesting fact from
    IBM.  By changing a key  in the workstation registry, ANY user  on
    the workstation can gain local administrator access (the  security
    on the key allows it).  Although this is not a security hole,  and
    is  documented  by  IBM,  it  is  a  serious flaw in the GINA.  If
    administrators  are  not  aware  of  this  it  could  affect their
    lockdown of their workstation environments.

    Here's the registry key  that is used to  gain access by adding  a
    domain group to the local administrators group.

        REGEDIT4

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IBMNeTNT\GroupMapping]
        "DOM_USERS"="Administrators"

    Running this file will create the GroupMapping key and include all
    DOM_users in the  NT Workstation local  Administrators group.   At
    next logon, any DOM_user will have admin level access on the local
    workstation.

SOLUTION

    Nothing yet.