These are actually pretty interesting questions as to the admin
rights needed on machines. In a way, I can understand why admin rights
would be needed. But there are numerous checks out there that require admin
rights to check for it, but to exploit it, anybody can do it.
I would like to suggest that maybe there should be an option that
will run the checks, admin or not, and give you the results. One of my
gripes was with open writable netbios shares. If the "everyone" group is
able to right to it, then isn't it an open share? Shouldn't this be flagged
as a vulnerability? Why would I need to login to the machine as an "admin"
in order to detect a share the whole world can write to? Luckily, I have
been working with Tech support to resolve this issue. It works, but just
lists the IP/host that has a writable share, and not what the share actually
is.
I think there's many checks like this that should be performed
regardless if you're an admin or not. I could understand if you're an admin
of a small 25 node LAN, but when you have hundreds and thousands of hosts,
it is impossible to be an admin of every one of them....or even the majority
of them.
Mike
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 27, 2003 8:23 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
Propagation
Does it mean that if you have no admin rights on the targeting host,
although you selected to check this, it will not run? How do I execute the
check with admin rights? Isn't it dangerous to execute the check with admin
rights where the scan traffic is all in clear (plain text)?
I was also very curious about this particular check 'MssqlPreauthBo' which
require admin rights too. The actual exploit for this doesn't require any
admin rights if your TCP port 1433 is open and the no correct patch applied,
it should be vulnerable. Can you explain why for this particular check
'MssqlPreauthBo' need admin rights?
In this case, if checks are not being run (becos without admin rights), it
won't reflect the actual vulnerabilites state of the machine and most
critical ISS ckecks required admin rights. Can someone pls answer me??
Regards,
Cindy
"Rouland, Chris
(ISSAtlanta)" To: "Stephen Tihor"
<[EMAIL PROTECTED]>, "ISS XForce" <[EMAIL PROTECTED]>
<[EMAIL PROTECTED] cc: <[EMAIL PROTECTED]>
t> Subject: RE: [ISSForum] ISS
Security Brief: Microsoft SQL Slammer Worm Propagation
Sent by:
issforum-admin@i
ss.net
01/27/2003 04:52
AM
Stephen,
The MssqlMs02039Patch (SecChkId 9666) check for Internet Scanner works by
reading the path to where SQLServer is installed and then gets the version
resource from ssnetlib.dll. If the version is less than 636, we flag the
target as vulnerable.
You will need admin rights on the target to detect this.
-Chris
-----Original Message-----
From: Stephen Tihor [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 25, 2003 2:14 PM
To: ISS XForce
Cc: [EMAIL PROTECTED]
Subject: Re: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
Propagation
Interestingly enough if have ISS internet scanner upda toe date with all
XPU's and scanned a machine Friday which turned out to be vulnerable today.
It was a stable production node so I doubt they enabled anything new. Which
suggests the ISS was not on point or was a Denial of Service test since
those were not
run against the machine being tested. Could someone tell
me which was the case?
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
