DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  NetShield

SYSTEMS AFFECTED

  Win NT 3.51
  

PROBLEM


    By installing  the Remote  NetShield console  on a  NT workstation
    the  user  is  given  the  ability  to  access any machine on your
    network  that  is  currently   running  Mcafee  NetShield  or   NT
    VirusScan.   In  otherwords  any  NT  user  with  just the Console
    portion of  NetShield for  NT Server  installed can  access modify
    the configuration of or run a scan on ANY machine NT SERVER or  NT
    Workstation on your network if change to the registry is not done.

    MicroSoft Premier  Support confirmed  that by  default in  NT 3.51
    that the  group Everyone  has special  access to  common groups on
    all NT machines.  That means that  joe.user that has NT  installed
    on his workstation and just  basic user rights to his  network can
    Remote  Registry  into  his  compaines  Production  Client  Server
    Machine and edit  HKEY_LOCAL_MACHINE\Software\ and modify  your MS
    SQL registry entries  enough to kill  your SQL Server.   Or Modify
    your  Production   Arcada  Backup   environment  to   delete   the
    autoloader so the  next scheduled backup  will fail .     This  is
    very a  serious hole  and if  it is  not plugged  by modifing  the
    registry you are leaving yourself totally open to anyone.   Credit
    for this goes to R. James Bratscher



EXPLOIT

  

SOLUTION


    The solution is to modify the registry to restrict the ability  to
    Remote Registry into your system...

    It would also be advisible to ensure that you have SP5 applied  to
    NT 3.51  with this  fix.   Some changes  have been  made to SP5 to
    allow for very  friendly messages to  a user when  they attempt to
    access  a  remote  registry.   Prior  to  SP5 the error message is
    somewhat cryptic.

    The Technet Articile # Q153183

    Knowledge Base

    How to Restrict Access to NT Registry from a Remote Computer

    Article ID: Q153183
    Creation Date: 11-SEP-1996
    Revision Date: 13-SEP-1996

    The information in this article applies to:
    Microsoft Windows NT Workstation versions 3.51 and 4.0
    Microsoft Windows NT Server versions 3.51 and 4.0

    SUMMARY

    Remote  access  to  the  Windows  NT  Registry is supported by the
    Registry Editor.  With Windows  NT 3.51  or 4.0  you can  restrict
    this access.

    MORE INFORMATION

    By default on  a Windows NT  3.51 system any  user can access  the
    registry when  connecting over  the network.  On a  Windows NT 4.0
    system, by default  only members of  the Administrators group  can
    access the registry over the Network.

    Restricting Network Access to the Registry

    To  restrict  network  access  to  the  registry, follow the steps
    listed below to create the following Registry key:

	HKEY_LOCAL_MACHINE\SYSTEM
	\CurrentControlSet\Control\SecurePipeServers\winreg

    Description REG_SZ Value: Registry Server

    The Security  permissions set  on this  key define  what Users  or
    Groups can connect to the  system for remote Registry access.  The
    default Windows NT  Server 4.0 installation  defines this key  and
    sets the Access  Control List to  restrict remote registry  access
    as follows:

	Administrators  Full Control

    The default configuration for  Windows NT Server 4.0  permits only
    Administrators remote access to the Registry. Changes to this  key
    to allow users remote registry  access require a system reboot  to
    take effect.

    WARNING:  Using  Registry  Editor  incorrectly  can cause serious,
    system-wide problems that may require you to reinstall Windows  NT
    to  correct  them.  Microsoft  cannot  guarantee that any problems
    resulting from the use of Registry Editor can be solved. Use  this
    tool at your own risk.

    To create the registry key to restrict access to the registry:

    1.Start Registry  Editor (Regedt32.exe)  and go  to the  following
      subkey:

	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

    2.From the Edit menu, choose Add Key.
    3.Enter the following values:

	Key Name: SecurePipeServers
	Class:    REG_SZ

    4.Go to the following subkey:

	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers

    5.From the Edit menu, choose Add Key.
    6.Enter the following values:

	Key Name: winreg
	Class:    REG_SZ

    7.Go to the following subkey:

	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

    8.From the Edit menu, choose Add Value.
    9.Enter the following values:

	Value Name: Description
	Data Type:  REG_SZ
	String:     Registry Server
	Exit Registry Editor and restart Windows NT.