With the recent announcement of another NT file space access vunerability in IIS, I
think it is prudent to examine the way TSM backs up the registry on NT.
Currently, the registry is backed up to c:\adsm.sys. By default, this directory has
Everyone/Change permision which means that anyone with file system access can read the
files there. The SAM database is stored unencrypted in c:\adsm.sys\Registry\<netbios
name>\Machine. I have successfully attacked an IIS server (my own :) and pulled
passwords from this file with L0pht Crack.
This vunerability is created by the default installation practices of Microsoft:
IIS inetpub directory is on the c:\ drive by default. The IIS attack is only
good on the IIS drive.
The default permisions for files are too loose. Removing users except System
from the adsm.sys directory is a good idea.
The registry is stored unencrypted. Even a simple scheme common to all TSM
installations would be better than nothing.
Perhaps TSM should change the permisions of the adsm.sys directory after creation. As
for the location of inetpub, best practice dictates a separate file system for this.
chuck
---------------------------------------------------------
Chuck Colht
Network Administrator
Chugach Electric Association
[EMAIL PROTECTED]
