Question: on backing up Windows NT4, we've noticed TSM creates the adsm.sys directory where it dumps the registry and user info/passwords so it can back it up. This is all fine however is it just me or does this create a huge security hole? By default on NT4, that directory is created with permissions that give "everyone" "change" permissions. Thus *IF* i'm able to view the local filesystem, i can then easily go into that directory and run very commonly available password cracking programs to retrieve all the local users and passwords. Now, remotely i don't believe the average user can see that directory. However if that same user has privs to login locally at the console they can definetly view it. Also if the box happens to run IIS, there are tons of exploits commonly available that allow a user to also view the local filesystem. This is because the "internet guest account" thats created by IIS has privs to log in locally. Ok so theres a threat of someone internally trying this at a console. There's also a threat that someone externally could use IIS exploits to do the same thing. Once i have the local admin password (not the domain admin passwrd), chances are good the local admin password is the same on other NT boxes as well. I mean how many shops have a different local admin password on ALL their boxes? Not many i suspect. Perhaps even their domain admin password is the same as their local admin password. Even if i can't use that password on other boxes, I can definetly install some sniffers and other hacking tools to do even more damage. Install viruses.. destroy that box. Obtain domain passwords.. whatever.. now if i could think of this, and i'm not a security expert, i would imagine others have as well. I was able to locally log in with a non admin user account and use a commonly available tool to get the local admin password. >From there i can think of lots that i can do with that. All because the adsm.sys directory has change permissions for everyone. so has anyone else brought this issue up? Is it common knowledge? Why doesn't Tivoli do something about it? Or perhaps i'm missing something? And if i'm able to think of this, what other ways could someone compromise the system using this info that i WASNT able to think of? I would love to hear other's comments on this.. Does it concern anyone? Gerald Wichmann Sansia System Solutions
