COMMAND

    HKKM

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Benjamin Webb found following.  When securing  HKEY_LOCAL_MACHINE,
    one  area  that  definitely  needs  attention is \software\classes
    (note:  this is the same as editing HKEY_CLASSES_ROOT).  This area
    holds all of the "File types" information(extensions).  By default
    permissions are set  to Everyone:Read Interactive:Special.   Under
    this configuration anyone logging into the machine can change  the
    extension  mapping.   The  problem  here  is  that  it is NOT user
    specific information.  It makes  it very easy to install  trojans,
    etc...   because  any  given  extension  can  be  set  to  run any
    executable file.  Example: Jonny  Cracker has user access to  a NT
    box sitting at his  desk.  He opens  My Computer, goes to  View...
    Folder Options...  File Types, highlights "Folder" and clicks  the
    edit  button.   He  changes  the  information  to run mytrojan.exe
    instead of explorer.exe.   Next Jonny logs  out, thinks up  a good
    problem, and call his company help desk.  Joey Supertech shows  up
    5 min. later (remember, this is fantasyland) and logs in with  the
    administrator  account  to   fix  Jonny's  problem.    When   Joey
    double-clicks My Computer,  it gives Jonny  Admin access and  then
    resets "Folder" to run explorer (courtesy of mytrojan.exe).   Joey
    considers that he might not have double clicked fast enough, tries
    again and sure enough, My Computer pops right up.  Joey goes on to
    a  life  filled  with  technical  joy  after  having fixed Jonny's
    imagined problem, and Jonny goes on to a life filled with  cracker
    joy at having easily circumvented security policy.

    This has been tested on NTWorkstation 4.0 SP4 with IE4.01SP1.   No
    reason to think it wouldn't work on other systems.

SOLUTION

    The  only  difficulty  with  securing  this  area  as it should be
    (Read-only for authenticated, local  users) is that many  programs
    are  not  Windows  NT  aware.   Many  programs (including Netscape
    Navigator/Communicator 4.x, Office 97, etc.) write to this area at
    startup.  Worse, they tend to either crash or popup weird mesages.
    Thus, the registry must stay  insecure for now.  Programmers  need
    to get into the habit of checking before writing.

    Here is  a workaround  to keep  the security  in this area intact.
    Once the given system is configured, with all software  installed,
    log in as an Administrator.  Export (as text is fine, or using any
    of the resource kit utils) HKLM\Software\Classes.  Move that  file
    (say classes.reg) to a read-only location.  In

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    add "regedit  /s classes.reg"   (or a  similar import  if you used
    some other tool).  This reloads the classes each time a user  logs
    in, destroying any malicious changes.  It should be noted that  it
    will NOT affect any new keys  (if you use the text method).   This
    certainly isn't the best way to have things, but it's better  than
    leaving that particular hole open.