Microsoft: April 2006 Archives

Did you know...

Did you know that Microsoft update and Windows update are not the same thing?

I knew that Microsoft was providing office updates outside of going to officeupdate.microsoft.com but I didn't know why I wasn't seeing those updates at windowsupdate.microsoft.com. I typically select Tools > Windows Update from within Internet Explorer. Turns out there is a update.microsoft.com, which must be where I had gotten updates for Microsoft products, not just windows. A tip of the keyboard to F-Secure and Sunbelt for writing about that this week, and thus reminding me.

By Roger on April 14, 2006 12:45 PM | | Comments (0) | TrackBacks (0)

Terminal Services Mis-configured

I'm not sure if I've posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.

Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn't get hacked, and I was able to hack more servers than anyone else in the class.

What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.

Although my "guest" account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.

This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn't an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn't promoted himself yet.

By Roger on April 12, 2006 8:11 PM | | Comments (1) | TrackBacks (0)

April Security Patches from Microsoft


Microsoft has released advanced notification that they will be releasing five security bulletins for Windows on April 11, 2006. The highest severity rating for these issues is Critical.

- - One bulletin for Microsoft Office and Microsoft Windows. The highest severity rating for this issue is Moderate.
- - Four bulletins for Microsoft Windows. The highest severity rating for these is Critical.

Further details about these issues are not currently available.


By Roger on April 6, 2006 1:40 PM | | Comments (0) | TrackBacks (0)

Hwaldron on public betas for MS security patches

hwaldron comments on whether or not Microsoft should have a public beta for security patches.

By Roger on April 6, 2006 1:24 PM | | Comments (0) | TrackBacks (0)

IPSec Domain Isolation Blog

I stumbled across a blog on using IPSec for Domain Isolation. http://blogs.msdn.com/James_Morey/

By Roger on April 3, 2006 6:41 PM | | Comments (0) | TrackBacks (0)
« Microsoft: March 2006 | Main Index | Archives | Microsoft: May 2006 »

Search