COMMAND
NetShield
SYSTEMS AFFECTED
Win NT 3.51
PROBLEM
By installing the Remote NetShield console on a NT workstation
the user is given the ability to access any machine on your
network that is currently running Mcafee NetShield or NT
VirusScan. In otherwords any NT user with just the Console
portion of NetShield for NT Server installed can access modify
the configuration of or run a scan on ANY machine NT SERVER or NT
Workstation on your network if change to the registry is not done.
MicroSoft Premier Support confirmed that by default in NT 3.51
that the group Everyone has special access to common groups on
all NT machines. That means that joe.user that has NT installed
on his workstation and just basic user rights to his network can
Remote Registry into his compaines Production Client Server
Machine and edit HKEY_LOCAL_MACHINE\Software\ and modify your MS
SQL registry entries enough to kill your SQL Server. Or Modify
your Production Arcada Backup environment to delete the
autoloader so the next scheduled backup will fail . This is
very a serious hole and if it is not plugged by modifing the
registry you are leaving yourself totally open to anyone. Credit
for this goes to R. James Bratscher
SOLUTION
The solution is to modify the registry to restrict the ability to
Remote Registry into your system...
It would also be advisible to ensure that you have SP5 applied to
NT 3.51 with this fix. Some changes have been made to SP5 to
allow for very friendly messages to a user when they attempt to
access a remote registry. Prior to SP5 the error message is
somewhat cryptic.
The Technet Articile # Q153183
Knowledge Base
How to Restrict Access to NT Registry from a Remote Computer
Article ID: Q153183
Creation Date: 11-SEP-1996
Revision Date: 13-SEP-1996
The information in this article applies to:
Microsoft Windows NT Workstation versions 3.51 and 4.0
Microsoft Windows NT Server versions 3.51 and 4.0
SUMMARY
Remote access to the Windows NT Registry is supported by the
Registry Editor. With Windows NT 3.51 or 4.0 you can restrict
this access.
MORE INFORMATION
By default on a Windows NT 3.51 system any user can access the
registry when connecting over the network. On a Windows NT 4.0
system, by default only members of the Administrators group can
access the registry over the Network.
Restricting Network Access to the Registry
To restrict network access to the registry, follow the steps
listed below to create the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\SecurePipeServers\winreg
Description REG_SZ Value: Registry Server
The Security permissions set on this key define what Users or
Groups can connect to the system for remote Registry access. The
default Windows NT Server 4.0 installation defines this key and
sets the Access Control List to restrict remote registry access
as follows:
Administrators Full Control
The default configuration for Windows NT Server 4.0 permits only
Administrators remote access to the Registry. Changes to this key
to allow users remote registry access require a system reboot to
take effect.
WARNING: Using Registry Editor incorrectly can cause serious,
system-wide problems that may require you to reinstall Windows NT
to correct them. Microsoft cannot guarantee that any problems
resulting from the use of Registry Editor can be solved. Use this
tool at your own risk.
To create the registry key to restrict access to the registry:
1.Start Registry Editor (Regedt32.exe) and go to the following
subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
2.From the Edit menu, choose Add Key.
3.Enter the following values:
Key Name: SecurePipeServers
Class: REG_SZ
4.Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
5.From the Edit menu, choose Add Key.
6.Enter the following values:
Key Name: winreg
Class: REG_SZ
7.Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
8.From the Edit menu, choose Add Value.
9.Enter the following values:
Value Name: Description
Data Type: REG_SZ
String: Registry Server
Exit Registry Editor and restart Windows NT.