Re: NT Security Advisory: Domain user to Domain Admin - Profiles

[paulle () MICROSOFT COM (Paul Leach)]

-----Original Message-----
From: Mnemonix [mailto:mnemonix () GLOBALNET CO UK]
Sent: Wednesday, April 28, 1999 12:37 PM
To: BUGTRAQ () NETSPACE ORG
Subject: NT Security Advisory: Domain user to Domain Admin - Profiles and
the Registry


Problem: NT users can cause other users of the system to load a "trojaned"
profile that could lead to a system compromise. This issue has been here for
as long as NT 4 has, but I'm not sure if anybody has picked this particular
issue up.

Details: When a user logs onto an NT Workstation or Server a new subkey is
written to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
registry key. The name of this new key is that of the user's Security
Identifier or SID. One of the values of this key is the ProfileImagePath
which points to the location of the user's profile directory. This can
reference a local path (eg %systemroot%\profiles\acc_name) or a UNC path (eg
\\PDC\profiles\acc_name).


This is indeed an issue. It is documented in the "Securing Windows NT"
whitepaper,
http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.as
p
<http://www.microsoft.com/NTServer/security/exec/overview/Secure_NTInstall.a
sp>
and anyone who has implemented those recommendations will be safe against
this vulnerability.
(NB: The registry key is misspelled "Profile List" in the document.)

Also, the SCE templates in SP4/SP5 included one designed to help automate
the recommendatiaons in the whitepaper -- securws4.inf, IIRC. However, we
just examined it and it allows "Power Users" (abbreviated "PU") to write the
key. It'll be fixed in SP6. In the meantime, one can hand edit the entry for
ProfileList in the template. Find the line that looks like this:
"MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;AU)(A;CI;GA;;;DA)(A;CI;GA;;;
SY)(A;CI;GA;;;CO)(A;CI;GRGW;;;PU)"
and get rid of the "(A;CI;GRGW;;;PU)" at the end.

Paul