COMMAND

    rcmd

SYSTEMS AFFECTED

    Win NT with NT4, IIS, Frontpage Extensions, Resource Kit

PROBLEM

    George found  following.   This certainly  isn't a  bug, but it is
    enough seen mistake so it makes this advisory is justified.  For a
    while now NT admins have had it easy because unlike UNIX, NT  does
    not allow folks to get remote command line access for most of  the
    types  of  connections  it  supports.   It  seems  a lot of system
    administrators like to  install the reskit  and along with  it use
    the rcmdsvc for remote control  of their servers. rcmd allows  one
    to get a remote command line much like telnet does with Unix.

    The problem comes in with  the FrontPage extensions on NT  (or any
    FTPD that requires  users be entered  into the NT  user database).
    Each user who has a FP  enabled website gets an account in  the NT
    user  database  and   this  account  gets   the  "logon   locally"
    permission.  What this in effect  does is give everyone with a  FP
    enabled website,  access to  the machine  via rcmd  as well as FP.
    Worse  yet  when  they  connect  it  dumps  them  right  into  the
    \winnt\system32 directory. From there they can TYPE files or EDLIN
    or any of  the numerous tricks  that the Unix  admins have had  to
    deal  with  for  years.   Depending  on  the  configuration of the
    machine, many times it also  gives them exec permissions for  lots
    of programs and  combined with the  FP capability to  download any
    program they want to the  machine could make for a  very dangerous
    combination.  (how hard would it be to list the frontpage.ini file
    for  example,  a  quick  DIR  FRONTP*.*  /s and then a simple TYPE
    \path\FRONTPAGE.INI | more)

SOLUTION

    The  solution  to  this  configuration  error  is to stop the rcmd
    service on  the server  and when  you need  access use  the netsvc
    command to start it.  Rcmd shouldn't be used in the first place  -
    a better alternative exists.   In the server resource kit,  update
    1,  there  is  a  "Remote  Console".   Remote  Console has several
    advantages  -  for  one  thing,  it  properly  handles  apps which
    manipulate screen memory -  rcmd just redirects stdin  and stdout.
    Perhaps  the  most  important  aspect  is  that  it  does properly
    impersonate the logged in user - and those users are controlled by
    a special  group which  remote console  installs.   Also, it works
    from the "right to log on as a batch file", not the "right to  log
    on locally".

    Even  so,  the  file  system  permissions  definately  need   some
    tightening - anything  under c:\program files  has full access  to
    everyone.  Also, IIS seems not to change any of the existing  file
    permissions, just taking whatever is inherited from the  directory
    you installed into.