Err this is a fun one. I have never looked exactly at how srvinfo gets its info but I would guess through a variety of calls as I have seen cases where some info isn't available and other info is. What this would mean is that there isn't a single switch you can probably throw.
Doing a dump of the PE header shows a slew of imported registry functions which makes sense, as well as QueryPerformanceCounter, and obviously the SCuM calls for the Service enumeration. Imp Addr Hint Import Name from ADVAPI32.dll - Not Bound -------- ---- --------------------------------------------------------------- 00001000 1C9 RegCloseKey 00001004 1ED RegQueryValueExW 00001008 1E3 RegOpenKeyExW 0000100C 1DA RegEnumValueW 00001010 1CB RegConnectRegistryW 00001014 1AC OpenSCManagerW 00001018 3E CloseServiceHandle 0000101C D4 EnumServicesStatusW 00001020 1D8 RegEnumKeyW 00001024 1D7 RegEnumKeyExW 00001028 1E8 RegQueryInfoKeyW Imp Addr Hint Import Name from KERNEL32.dll - Not Bound -------- ---- --------------------------------------------------------------- 00001030 10F GetComputerNameW 00001034 2D1 SearchPathW 00001038 375 VirtualAlloc 0000103C 378 VirtualFree 00001040 29D RaiseException 00001044 248 LoadLibraryA 00001048 21F InterlockedExchange 0000104C 24E LocalAlloc 00001050 1C0 GetSystemTimeAsFileTime 00001054 13B GetCurrentProcessId 00001058 3B7 lstrcmpiW 0000105C 1D5 GetTickCount 00001060 299 QueryPerformanceCounter 00001064 177 GetModuleHandleA 00001068 33D SetUnhandledExceptionFilter 0000106C 13A GetCurrentProcess 00001070 351 TerminateProcess 00001074 1E2 GetVolumeInformationW 00001078 148 GetDiskFreeSpaceW 0000107C 14C GetDriveTypeW 00001080 3C0 lstrlenW 00001084 3B1 lstrcatW 00001088 140 GetDateFormatW 0000108C EF FreeLibrary 00001090 198 GetProcAddress 00001094 24A LoadLibraryExW 00001098 169 GetLastError 0000109C 17A GetModuleHandleW 000010A0 3BA lstrcpyW 000010A4 10C GetComputerNameA 000010A8 BC FileTimeToSystemTime 000010AC 3B4 lstrcmpW 000010B0 13E GetCurrentThreadId Imp Addr Hint Import Name from USER32.dll - Not Bound -------- ---- --------------------------------------------------------------- 000010B8 37 CharUpperW 000010BC 2D6 wsprintfW 000010C0 1CB LoadStringW Imp Addr Hint Import Name from VERSION.dll - Not Bound -------- ---- --------------------------------------------------------------- 000010C8 D VerQueryValueW 000010CC 3 GetFileVersionInfoW 000010D0 2 GetFileVersionInfoSizeW So registry lockdown for who can enumerate what, Service ACL lockdown via subinacl or GPO would probably be a good start. Obviously you could do it very quickly by chopping off who can connect to the computer over the network though if you are doing anything that relies on Windows permissions as the function of the server then you will have pretty much chopped off people doing anything with it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, July 12, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Hi Joe, A related question - we got to talking about what access is required to run "srvinfo.exe" (from the resource kit) against a domain controller. It seems like "authenticated users" membership is all that is needed. Now I know there are ways to restrict access to other things like the system and application event logs (http://www.windowsnetworking.com/nt/atips/atips25.shtml) but googling didn't produce anything on restricting access through tools like srvinfo. Do you know of a way to restrict this without causing other problems? TIA! Mike Thommes -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, July 12, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a "backup" domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the "primary" controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain R&B Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
