Badger_sly
[H]ard|Gawd
- Joined
- Mar 20, 2002
- Messages
- 1,594
Nice work on the data, rcolbert. At least now there is proof that can be pointed to when someone asks in the future.
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Once again playing the semantics game. The problem here is that you are demanding everyone go by your definition of terms and wording and argue it from there. I already said I wasn't interested in doing that.rcolbert said:GreNME: First off, the statement I was responding to was " only an authenticated user can take advantage of services on your machine." That doesn't mean "able to start a service" in my book. I interpreted "take advantage" to mean "utilize", not "start." Obviously there are numerous services that users (and other computers) can access without authentication.
as a reason against disabling services. But now you're saying:GreNME said:As for security, don't let yourself be fooled: only an authenticated user can take advantage of services on your machine. If an intruder is using your services, your machine has already been owned. It's really that simple.
You don't need to be able to start a service to "take advantage" of it. You yourself give an example:GreNME said:I challenge you to name a single service that can currently be started on a machine without priveleges (read: authenticated).
If a service is disabled, there's zero chance it can get "taken advantage" of. You seem to be changing your story...GreNME said:Also, if a connected user hasn't privs to use the service (unlike the RPC mistake, which allowed unauthenticated users elevated privs), the weak link isn't the service.
That's not how it works. You are the one who brought up memsnap. I already know what the data is showing, and it is not showing anything to substantiate either of our claims. However, I want you to "explain" it to the best of your ability, since you first brought it up.rcolbert said:When you can explain to me how anyone was supposed to understand "take advantage of" to mean "start" rather than "utilize" I will answer the rest of your question.
I'll tell you the same thing I told O[H]-Troll: I will give you $500 US if you can come before me and take advantage of ANY services on my XP install. I'll even use my XP Home lappie if you want, though you have more services to choose from with my XP Pro lappie. If you can do it without me giving explicit permission to access a service, then I will acquiesce. The problem isn't in the services here. If you have services being fooled with by an outside source without you wanting it, you've already been owned.I don't think I'm splitting hairs here. I think what you are thinking and what you are typing are two different things. Did anyone else read "take advantage of" and think that he meant "start a service?" Show of hands please..
You misunderstand what I was asking. I was asking you to use the lsass process running as the "for example" in your explanation of the columns in memsnap. The discrepency within it (way higher paged data than the working set) takes a bit deeper understanding of how the processes are being tallied than just downloading and cutting-pasting output from a tool.(an lssas is a local security subsystem that must be running, and I won't BS about it because to tell you any more I'd be googling it.)
Well, the answer is yes and no: a non-auth user can put input into and call a running service remotely, but only after an authorized user has given that privilege. ActiveX scripts, for example, can call services, but the user must be allowing ActiveX scripts to run for it to happen (and by default, the user is prompted).Phoenix86 said:Wait, before we argue the semantics of "start" and "use" can a non-auth user do either? I wasn't aware a non-auth user could do either w/o another expoit like with RPC. Kinda makes it a moot point otherwise...
That still requires auth., and makes their point on the difference between "use" and "start" moot. They are the ones making a deal over the difference in words, I want to see if there is a point or not.GreNME said:Well, the answer is yes and no: a non-auth user can put input into and call a running service remotely, but only after an authorized user has given that privilege. ActiveX scripts, for example, can call services, but the user must be allowing ActiveX scripts to run for it to happen (and by default, the user is prompted).
Basically, it's pedantic wordplay. The problem is not on the services level, it's in allowing users to run as admin to begin witha mentality that has kept the *nix world far safer from malicious code than most general consensus likes to think.
Indeed. I find your misinformation alarmingly absurd.rcolbert said:This is being reduced to the absurd.
You can interact only to authenticate. Nothing else. Without authenticating, you are denied any access to it. You may as well say that a person without a key to a locked door has access to the door, which is incorrect.Netlogon (prior to logon you interact with it)
And ditto on the explanation. No privs == no access.Telnet Server (ditto)
Wrong. Try to utilize the Computer Browser service on my machine remotely without authentication. It makes anonymous requests out, but no access from the outside in.Computer Browser (no authentication required)
How in the hell are you accessing that service with no privs? You can get the information it broadcasts if you are allowed access set by the admin of the server, but other than that your "nada" is the level of access you have to the service.WINS Server (nada)
Same as the WINS. I can give you access to my 2k3 SBS environment at home, and I'd love to see you even get an IP, let alone get info from WINS or DNS from the network.DNS Server (zero)
rcolbert said:And there's a one-use limit on the term "pedantic" per thread.![]()
Does this mean you can configure or control services without authentication? No, of course not. Does this mean you can authenticate against services that require it without proper credentials? No. However, you are simply wrong when you assert that services can't be utilized by unauthenticated users.
It's been a long day and I'm sitting here bored. What can I say?I'll give you this though - you are right on top of this thread with the timely responses.
Um, no. Unnecessary services are already not on by default since 2003 Server. You turn on what you need by setting it up.I and Microsoft disagree with the totality of the point you are making.
In fact, eliminating unneeded services is strongly recommended by Microsoft as a means to "reduce the potential surface area" vulnerable to attacks.
Ahh, the old "appeal to authority" routine. How's this: I've been involved in designing and maintaining the network security for medical facilities and federal banking institutions for a few years now, which include far more than one operating system or network infrastructure. I have a acquiantance who develops for Checkpoint, among other security and intrusion prevention professionals.I have been involved directly with Microsoft for many years...
Name some. Theoretically, and computer connected to a network is, with all the caveats and "what-ifs" you can come up with, is susceptible. Hence my bringing up the old parody page of the wire-cutters as the only sure firewall.Any process listening on any port regardless of the firewalls and patches in place, *may* be suceptible to some as yet unknown exploit such as a malformed request or a buffer overflow.
Gonna be in the DFW area any time soon? I'll gladly take you up on that bet.If you thought the same as you do six months ago, I had tools whereby I could talk to any Windows server and run any code I chose on it, regardless of what you had done from a Microsoft or Virus Scanning level. The only two things that would have prevented your system from being compromised would be an active agent like the Cisco Security Agent, or if you were simply hidden behind hardware such as a NAT.
And none of them use a service as a point-of-entry. RPC was the only service so far that has had such a problem.All of the tools I mention are pretty much useless today against a patched system. However, there's no way of knowing which process will turn up next as having some sort of vulnerability. Exploits such as buffer overflows or malformed requests almost never require authentication to work. Their sole job is to let you anonymously run arbitrary code of your choosing on remote systems.
It's good enough that it will deny the basic TCP requests that can be used to find possible susceptibility. No, there isn't a way in hell I would suggest it for a corporate network, but that's why the server OS doesn't come with it to begin with. Use the right tool for the right job.From a corporate perspective if you run a tool like Foundstone against your enterprise, you'll see exactly what all the extra running services do in terms of softening up your defenses. And also for the record, the Windows firewall in XP is extremely basic and should not be considered an adequate substitue for a good thrid party product. It's better than nothing, but that's about it.
Please, please, please don't tell me you're that NTCanuck dude.Tell you what, give me your IP address if you're not behind a NAT and we'll see... (j/k)![]()
GreNME said:Ahh, the old "appeal to authority" routine.
Oh, sorry... I was just trying to get back to that goalpost we were discussing before you shifted from it.And WINS, SQL, IIS and many other services have been suceptible to malformed requests and buffer overflows to the point of allowing arbitrary code execution, to name a few. Not just RPC.
That was a joke. I'm just teasing about that guy who had the tool he claimed could "bring down the internet!"rcolbert said:And I'm definitely no Canuck.![]()
Wow. Sounds like it's Ok with M$ if you shut them off...but wait! There's more!Microsoft said:When Windows XP Professional installs, default system services are created and configured to run when the system starts. Many of these system services do not need to run in the environments defined in this guide.
Man, they even thought it was important enough to put "Important" in front of it. Well, looks like shutting off unneeded services is a pretty good idea.Microsoft said:Important: Keep in mind that any service or application is a potential point of attack. Therefore, any unneeded services or executable files should be disabled or removed in your environment.
O[H]-Zone said:They do in this technet article. Let me quote:
Wow. Sounds like it's Ok with M$ if you shut them off...but wait! There's more!
Man, they even thought it was important enough to put "Important" in front of it. Well, looks like shutting off unneeded services is a pretty good idea.
So's winlogon, let's kill it. Oh, wait, that one is kinda important. But it listen's on ports, but it arbitrates user permissions, it is obviously a security risk! Yet you still run it, and if you kill it, windows bluescreens.O[H]-Zone said:They do in this technet article. Let me quote:
Wow. Sounds like it's Ok with M$ if you shut them off...but wait! There's more!
Man, they even thought it was important enough to put "Important" in front of it. Well, looks like shutting off unneeded services is a pretty good idea.
*IF*rcolbert said:I'm not really attempting to turn a resources argument into a security argument either. I'm more interested in the services, processes, and resources element of the discussion. More to the point, if a service is listening on a port, you can talk to it. You might not like what it has to say to you, but you can certainly talk to it. Therfore, the process needs to be aware that you're talking to it. Either the OS/IP Stack is doing extra work to be the listener for the process, or the process is not 100% dormant. In any case, there are CPU cycles consumed.
Well, talk about a shift in gears... I guess it was needed, we all pretty much agree disabling services doesn't help with performance.In fact, eliminating unneeded services is strongly recommended by Microsoft as a means to "reduce the potential surface area" vulnerable to attacks.
GreNME said:Nice name-dropping again.
Isn't that what we're talking about...a higher-security environment?OldPueblo said:High Security environment
Then it doesn't qualify as a service that you're not using, does it? As in:Ranma_Sao said:So's winlogon, let's kill it. Oh, wait, that one is kinda important. But it listen's on ports, but it arbitrates user permissions, it is obviously a security risk! Yet you still run it, and if you kill it, windows bluescreens.
Uh huh, and yet I guarantee whatever research you do today, will be broken by tommorow's application.O[H]-Zone said:Isn't that what we're talking about...a higher-security environment?
Then it doesn't qualify as a service that you're not using, does it? As in:
Do research, find out which services you're sure you're not using, and turn them off.