JSI Tip 0990. Do you trust your Server Operators?


A Server Operator can perform many of the same tasks that an Administrator can, with the exception of account management.

By virtue of the default permissions on

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

a Server Operator could replace the SYSTEM value with an executable that grants administrative priveledges. To quote Microsoft:


In the environments where members of server operators are not sufficiently
trusted, it is recommended that security on following keys be changed as below:

Registry Key                                    Recommended Permissions

HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows NT\CurrentVersion\Winlogon             CREATOR OWNER: Full Control
                                                        Administrators: Full Control
                                                        SYSTEM: Full Control
                                                        Everyone: Read

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish