DATE: COMMAND SOURCE: AUTHOR: NetShield SYSTEMS AFFECTED Win NT 3.51 PROBLEM By installing the Remote NetShield console on a NT workstation the user is given the ability to access any machine on your network that is currently running Mcafee NetShield or NT VirusScan. In otherwords any NT user with just the Console portion of NetShield for NT Server installed can access modify the configuration of or run a scan on ANY machine NT SERVER or NT Workstation on your network if change to the registry is not done. MicroSoft Premier Support confirmed that by default in NT 3.51 that the group Everyone has special access to common groups on all NT machines. That means that joe.user that has NT installed on his workstation and just basic user rights to his network can Remote Registry into his compaines Production Client Server Machine and edit HKEY_LOCAL_MACHINE\Software\ and modify your MS SQL registry entries enough to kill your SQL Server. Or Modify your Production Arcada Backup environment to delete the autoloader so the next scheduled backup will fail . This is very a serious hole and if it is not plugged by modifing the registry you are leaving yourself totally open to anyone. Credit for this goes to R. James Bratscher EXPLOIT SOLUTION The solution is to modify the registry to restrict the ability to Remote Registry into your system... It would also be advisible to ensure that you have SP5 applied to NT 3.51 with this fix. Some changes have been made to SP5 to allow for very friendly messages to a user when they attempt to access a remote registry. Prior to SP5 the error message is somewhat cryptic. The Technet Articile # Q153183 Knowledge Base How to Restrict Access to NT Registry from a Remote Computer Article ID: Q153183 Creation Date: 11-SEP-1996 Revision Date: 13-SEP-1996 The information in this article applies to: Microsoft Windows NT Workstation versions 3.51 and 4.0 Microsoft Windows NT Server versions 3.51 and 4.0 SUMMARY Remote access to the Windows NT Registry is supported by the Registry Editor. With Windows NT 3.51 or 4.0 you can restrict this access. MORE INFORMATION By default on a Windows NT 3.51 system any user can access the registry when connecting over the network. On a Windows NT 4.0 system, by default only members of the Administrators group can access the registry over the Network. Restricting Network Access to the Registry To restrict network access to the registry, follow the steps listed below to create the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\SecurePipeServers\winreg Description REG_SZ Value: Registry Server The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access. The default Windows NT Server 4.0 installation defines this key and sets the Access Control List to restrict remote registry access as follows: Administrators Full Control The default configuration for Windows NT Server 4.0 permits only Administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system reboot to take effect. WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk. To create the registry key to restrict access to the registry: 1.Start Registry Editor (Regedt32.exe) and go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control 2.From the Edit menu, choose Add Key. 3.Enter the following values: Key Name: SecurePipeServers Class: REG_SZ 4.Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers 5.From the Edit menu, choose Add Key. 6.Enter the following values: Key Name: winreg Class: REG_SZ 7.Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg 8.From the Edit menu, choose Add Value. 9.Enter the following values: Value Name: Description Data Type: REG_SZ String: Registry Server Exit Registry Editor and restart Windows NT.