Very Computer

Recently, I got the following Hot Fix, could anyone tell me what for?
Is it the same as SP3 :

a.  DNS Fix
b.  IIS Fix
c.  RAS Fix
d.  RPC Fix
e.  Serial Fix
f.  SFMSVR fix
g. TCP/IP fix

Chris

These are not the same thing as SP3, but they will be included in SP3.
Each has one or two explanatory documents that tell what it fixes, and
whence whether you should bother to install them.  Basically, you should
install a hotfix ONLY if you have reason to believe that it will correct a
problem you are having.

There's at least one other hot fix that can be more important than the ones
you have -- NTOSKRNL.

If you don't have the documents that explain these things, you can
      1. go to the KnowledgeBase and search for "hot fix", or
      2. go the ftp.microsoft.com and find the directory that holds these
hot fixes.

Hmm...

        The RPC prevents a dangerous bug, that one could telnet to the rcp port,
pass it garbage characters, and send CPU usage through the sky...

        Similar on the IIS fix also...

        Can't remember the rest off the top of my head...

Quote:> Recently, I got the following Hot Fix, could anyone tell me what for?
> Is it the same as SP3 :

> a.  DNS Fix
> b.  IIS Fix
> c.  RAS Fix
> d.  RPC Fix
> e.  Serial Fix
> f.  SFMSVR fix
> g. TCP/IP fix

> Chris

: Recently, I got the following Hot Fix, could anyone tell me what for?
: Is it the same as SP3 :

: a.  DNS Fix
: b.  IIS Fix
: c.  RAS Fix
: d.  RPC Fix
: e.  Serial Fix
: f.  SFMSVR fix
: g. TCP/IP fix

you got to have at least these to get around some of the public security
holes present in NT 4.0. And you need lotsa luck to get around the
nonfixed and the nonpublic ones ;)

eg. for the infamous 'redbutton' tool, and for 'ntcrack' there are no
fixes yet, ie. anyone from the net can just download all your security
files and crack passwords with a good chance.

-- mingo

[snip]

Quote:>eg. for the infamous 'redbutton' tool, and for 'ntcrack' there are no
>fixes yet, ie. anyone from the net can just download all your security
>files and crack passwords with a good chance.

And ntcrack does nothing more than what crack does for unix.
<If> you can get ahold of the hashed passwords, you can run
ntcrack against them and you <might> crack <some> of them.

Saying "anyone from the net can just download all your security
files" is totally false.  Where did you get this idea?  Do you
know of <any> program which gives someone access to the SAM to
grab the obfuscated hashes for the entire network?  I think not.

Lab Manager, UT Dallas
http://www.utdallas.edu/~pauls/
Please note: Reply to: is set to foil auto ads.

"Your attitude determines your altitude"

--
Bill Moran . . .

Some fear what they do not understand . . .
I understand what they fear!

Quote:> eg. for the infamous 'redbutton' tool, and for 'ntcrack' there are no
> fixes yet, ie. anyone from the net can just download all your security
> files and crack passwords with a good chance.

Quote:

> -- mingo

 DNS Fix
 IIS Fix
RAS Fix
RPC Fix
Serial Fix
SFMSVR fix
TCP/IP fix

Quote:>  DNS Fix
>  IIS Fix
> RAS Fix
> RPC Fix
> Serial Fix
> SFMSVR fix
> TCP/IP fix

  check the NT FAQ  - http://www.savilltech.com/ntfaq.html
  for details.

You have to administrator to run pwdump in the first place.  Saying
anyone from the net can download your passwords is just completely
false.  

David LeBlanc           |Why would you want to have your desktop user,

                        |minicomputer-class computing environment?
                        |Scott McNealy

RedButton was intended to be a marketing tool for MWC.  It displays an
old, but little-known "feature" in NT which is used to enable
enumeration of users for cross-domain permissions settings.  It
establishes what is known as a null session, then proceeds to
enumerate the users, shares, and then attaches to the registry, where
it has the permissions of "everyone".  MWC would have liked you to go
to their site and buy their "Admin Assistant" tools for $95 to solve
this "problem".  One point I'll make before I explain how to stop
RedButton is that renaming administrator is COMPLETELY USELESS.  It is
trivial to figure out exactly which user is admin, even if it is named

passprop.exe from the NT Resource Kit to enable lockouts on
administrator (it won't lock it out from the console).  You can also
go set the "right to log on from the network" so that administrator
isn't included.  Either of these approaches are FAR more effective
than renaming it.

How to stop RedButton:

1) Go into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
SecurePipeServers.  Create a key named winreg.  Set the permissions on
that key to whoever you'd like to access the registry from the
network.  Do NOT include "everyone" in this list.  Reboot.

2) Go to http://www.iss.net and download everyone2user apply it as
follows:

everyone2user software
everyone2user system\currentcontrolset\services

Be warned that this utility will cause significant growth in the size
of the registry.  This is being looked into.  Also, be aware that this
tool has NOT been tested extensively, there is NO warranty, and PLEASE
backup your registry before beginning.  If you find anything not
working after applying it, enable auditing on the affected sections of
the registry, determine which keys are having the problem, and set the
permissions to correct the problem.

This tool just substitutes the users group for the everyone group in
the registry tree where you start it.

Either or both of these measures will shut down RedButton's ability to
read your registry.  This absolutely should be done until SP3 comes
out.  RedButton is a hack in that it does not clean up its
connections.  Once it has been run, you can then pop up Registry
Editor and WRITE to any key where "everyone" has write access.

If you'd like to check just where "everyone" can go, Frank Ramos'
DumpACL is a great little tool - look at http://www.somarsoft.com.

3) In order to stop user enumeration, Phil Brass has created a tool to
do this - I don't have an URL for it right now.  We'll also be able to
turn this off (along with share enumeration) after SP3 comes out.
I'll see about having Phil's tool available from ISS's page on Monday.

About NTCrack - See Russ Cooper's response, which is linked from
http://www.microsoft.com/security, or
http://ntbugtraq.rc.on.ca/index.html.  The point here is that you MUST
be administrator to run this tool.  Claiming that you can download the
"security files" is complete bullshit.  There will be some
enhancements delivered in SP3 which can be used to stop both pwdump
and NTCrack dead in their tracks, EVEN IF AN ADMIN ACCOUNT IS
BREACHED, or if the repair disk is stolen.

If you'd like to gather more information on these topics, the archives
of the ntsecurity mailing list are kept on ISS's web site
(http://www.iss.net), and ISS's FTP site.  You can also join the list

the body.  The ntsecurity list is unmoderated and has a fair bit of
noise, but much useful information.  There is also the NTBUGTRAQ list,
run by Russ Cooper, which is moderated and is much lower traffic.  

David LeBlanc           |Why would you want to have your desktop user,

                        |minicomputer-class computing environment?
                        |Scott McNealy

Quote:

> eg. for the infamous 'redbutton' tool, and for 'ntcrack' there are no
> fixes yet, ie. anyone from the net can just download all your security
> files and crack passwords with a good chance.

> -- mingo

I checked the reg and step one is all ready done (by default ???) so do I
need
to do step two as well??

How to stop RedButton:

1) Go into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
SecurePipeServers.  Create a key named winreg.  Set the permissions on
that key to whoever you'd like to access the registry from the
network.  Do NOT include "everyone" in this list.  Reboot.

2) Go to http://www.iss.net and download everyone2user apply it as
follows:

everyone2user software
everyone2user system\currentcontrolset\services

Be warned that this utility will cause significant growth in the size
of the registry.  This is being looked into.  Also, be aware that this
tool has NOT been tested extensively, there is NO warranty, and PLEASE
backup your registry before beginning.  If you find anything not
working after applying it, enable auditing on the affected sections of
the registry, determine which keys are having the problem, and set the
permissions to correct the problem.