HostedDB - Dedicated UNIX Servers
nt-part2_57 Analysis of the Security of  Windows NT 1 March 1999 57 domain needs some way of knowing which possible users or groups that is to be given rights in the trusting domain. But since the trusted domain does not trust the trusting domain, remember trust is one-way, s/he needs a way of getting access to this informa- tion. In this case the trusting domain will open anonymous channel to the trusted domain to obtain this information. The problem is that the anonymous user will have the rights of the everyone group and that group has far to much privileges. It is also not possible to just block the everyone group without creating a new group with almost the same privileges and then replace every occurrences of everyone to that group. If the group is just blocked the system will not function properly. Microsoft has released a hotfix and instructions on how to handle this situation but it is still  dependent  on  a  lot  of  configuration.  See  Microsofts  knowledge  base  article Q143474 for more information. Red Button is a program written by NTsecurity.com (Midwestern Commerce, inc.) that demonstrates this weakness. According to them the program does the following. •   logs on remotely to a Target computer without presenting any Username and Pass- word. •   shows that unauthorized access to sensitive information stored in file system and registry available to EVERYONE group can be obtained. •   determines the current name of Built –in Administrator account (thus demonstrating that it is useless to rename it). •   reads several registry entries (i.e it displays the name of Registered Owner). •   lists all shares (including the hidden ones). •   shows that identifier Everyone includes not only legitimate users of the network but everyone. Some of this information can also be obtained without using the program if one has access to an NT server, e.g. at home. The idea here is to try to establish a trust relation with the attacked server as the trusted domain an the attacking server as the trusting domain. This trust relation will probably fail since the trusting server does not posses the right password, but the server will register the attacked servers as one of its trusted domains and will by the anonymous channel get information such as account and user names from the attacked server. Intent. We will use the RedButton program on our target machine and see if it indeed gives us the information claimed above. Result.  We executed the RedButton program. It worked nearly as stated above. How- ever, it did not give us some of the promised Registry information. 7.7  Integrity Attacks 7.7.1  ERD Commander Description.  The possibility of booting a machine from a floppy, and then mount the NTFS filesystem not only affects the confidentiality of the system. If it is possible to write to the mounted filesystem, as well as read from it, then the integrity of the system