COMMAND
Netfinity
SYSTEMS AFFECTED
WinNT
PROBLEM
Thomas Krug found following. He found a method to run programs
like regedit and user manager with admin right using the above
tool. The following testscenario has been used:
- PC with Windows NT Workstation in a Domain
- Registry has been secured (especially HKLM)
- The User has no local admin rights and is in no admin group
- The execution of regedit and regedt32 has been forbidden by
system policy
When running the Netfinity Client and starting the process manager
(view, close and execute processes) and run for instance
regedit.exe or musrmgr.exe the programs run under the user
configured with the netfinity service, either the system account
or an admin.
SOLUTION
IBM Netfinity RCS was built with very little security in mind.
IBM has identified a choice of actions that can be taken to avoid
this scenario. Nonetheless, they believe it is in the best
interest of customers to provide a patch in the form of a single
downloadable file to eliminate this problem. The patch will be
made available in two weeks. In the interim, the following
precautionary options can be taken to avoid the scenario described
in posting:
* Set the NT file-level permission on the entire WNETFIN directory
(use LIST) to prevent the local user from executing any of the
Netfinity Manager Services locally.
* Restrict access to Netfinity Manager Services such as Process
Manager and Remote Session via Netfinity Security Manager.
* Start the support program service within a userid that is not an
administrator in order to provide the audit capability.
* Install Netfinity Manager code on administrator machines only
and Client Services for Netfinity Manager on the general user
population, thus limiting ability to use Process Manager and
Remote Session to the administrators.
* Modify the INSTALL.INI to prevent Process Manager and Remote
Session to be installed.