RE: Security hole at boot

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 1 Jan 2002 10:57:39 -0800

I wouldn't mess with the services start codes; those directly relate to how
the services start up (automatic, manual, disabled).  changing that data
will have very unpredictable effects.
As far as dependencies, ISA still depends on the bas TCP/IP services; that's
why the dependencies exist as they do.
The thing to bear in mind here, is that until Windows is finished its
startup, no services are answering even if the TCP/IP ports are showing
Those are two different issues.
If you can actually obtain more data than OS fingerprinting, I'd love to
know what you get.  That would certainly be something to pass on to the ISA
and/or Windows teams.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
Read the book!

----- Original Message -----
From: "Dar Scott" <dsc@xxxxxxxx>
To: "[ Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 01, 2002 07:43
Subject: [isalist] RE: Security hole at boot

I'm still concerned about the lack of IP filtering at startup.  On
typical machines this can be a minute, from the end of the blue
progress bar until about 10 or 20 seconds after the login screen.

Vulnerability seems to depend on which services are started
automatically and in what order.  I'm worried that by enabling or
disabling a service I might increase my exposure.

During this window, my server spills its guts; the system and some
add-on services start broadcasting.  LanGuard is able to get system
info from ports 135 and (if I "accidently" forget to disable NetBIOS
on the TCP/IP properties) 139.  If I enable simple TCP and simple TCP
starts up and I can get time and date.  I can FTP.  I would guess
that a system with Terminal Services or pcAnywhere might have these
exposed if they end up being loaded early.  A minute might be too
short of a time to crack these, but might expose they exist or expose
them to those who have pw some other way.

I found this same problem with another firewall and with IPSec.

Anybody familiar with system startup?

Taking Jim's lead I looked at the registry.  TCP/IP and NetBIOS over
TCP have start codes of 1.  IP Filter (IpFilterDriver), ISA IP Filter
(MspFltEx), Firewall and so on have start codes of 2.  So do lots of
things that use TCP/IP.

Dependencies:  Firewall -->  IP Filtering Extension --> IP Filter --> TCP/IP

Could start codes for IP Filtering and IP Filtering Extension be
safely changed to 1?  Would that even take care of the problem?  The
firewall service depends on several services so moving that to 1
would move several.  Could NetBIOS over TCP be moved to 2?

Or maybe somebody can convince me this is not a problem.

Dar Scott

You are currently subscribed to this Discussion List as:
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: