Account's, Permissions, and Groups in XP

b4gumby · #1 10-05-2006, 10:04 PM

Heya Everyone,

THis is my first post so go easy. I grew up with windows at school, but for a job i have been maintaining stipped down unix servers, and cisco gear.

Last week for the first time i became instrested in windows networking and had a bit of an explore around the OS to see how things have worked. I found its a fairly similar system in the was accounts, permissions and groups function.

First i saw from the control panel only 4 accounts in my computer, (what a load of $#@$). I know there has to be more accounts than that as there a specify programs which can do things out side of the permissions which i have set. So i decided to have a look around, figured out how to get into the administrator account from safe mode.

When i did this i noicted i was able to change ownership of a file to a user and a group, so i had a bit of a play. From here i found the true list of user accounts and avaliable groups in XP home.

What alarmed the hell out of is me was, there was 2 super user accounts on my computer, administrator, and administrators. From the old days at tafe i remember my teacher telling me administrator is the super user account. When i setup XP i created an account called Paul, and made the files private. I also made sure both administrator accounts had a password over 10 char's with good security as i was taugh.

After discovering this third account; administrators, i decided to check the secuirty of my account paul. The scary thing is the proper super user account, administrator had no access to certain directory's but could access the profile, while administrators could access everything in my paul account. After checking a few of the basic document's and settings folder, i discovered administators had access to everything. My feeling is i got hacked. I guess i just would like some advice from a Windows Admin about simple tricks to keep 134-139 and 445 open on my lan, without compromising 445. The Boarder Router IS SECURE, fashion for a home connection. What i mean there is its a NAT style firewall.

To give you an idea of the network which was emplored at the time. The standard microsoft protocol were installed when you first insert a NIC. It was connected to a single DSL modem router, all ports are accessable outgoing, but the only port which was accessable incoming was a torrent client which i ran (6881). The network is a flat subnet, so everything on the lan can see everthing. Dynamic host translation is enabled on the router. 134-139 and 445 ports were open from the higher level. The home idea was the data would get to the boarder, not be able to be translated and datagram would be dropped. I could put in ACL's but that would mean taking away my $200 linksys and putting in my $1000 cisco. The client which ran the torrents was a java client. The only way by networking law is they would have had to come into 6881, then create a backwards connection. If they did do the hack, the program would have to be compromised through an attack, like overflow or remote execution of code. Crash the client to get a shell up, and start from there in root (or a windows equivelent). From all the groups avaliable, i can see not all programs would need to be run in in administrator.

One thing i did note is that administrators was linked to the groups, "backup and restore" and "power user"

Obversely, i took away file sharing and printing once i noted this as i dont want them walking through my system. Currently, there are no backwards connections open, since i took a few of the adminiatrators regersty out. I think i broke the account.

Is Administartors account a eligit account or is this some scripts work?

Are there any holes which i am which is common knowledge?

Can someone point me a microsoft artical regarding basic micrsoft security.

Ahh, also i was using a workgroup for the network, not too sure if you can restrict computers joining them.

I really only know unix networking, any suggestions or ideads?

RAZman25 · #2 10-06-2006, 09:04 AM

Dude!

... My first advice to you is to post one question at a time in a different thread.

That way you get a response faster. Most of the people (if it's not everyone) do not like to read a long post. I can't believe I read up to 3/4 of your posting.

b4gumby · #3 10-06-2006, 06:57 PM

Point taken bro, but its all part of the same issue.

I guess i was just looking for an artical from the msdn regarding accounts, groups and permissions, i have had a look through the site but there is soo much information in there and im not too sure how to search for what im looking for as the terms are all different.

Do you know any articals regarding the above?

b4gumby · #4 10-06-2006, 07:00 PM

Also, im fairly confident it was an exploit as i have now found dr. watson running in the backgroud, dumping vital parts of the OS to a log file which is accessable only by Administrators

RAZman25 · #5 10-07-2006, 10:18 PM

I suggest your start with the basic. Here is an interesting article from Microsoft site: http://www.microsoft.com/resources/d....mspx?mfr=true

b4gumby · #6 10-09-2006, 04:27 AM

Thanks for the post,

Its now solved, dr. watson was used to dump my reg, and sam file. From there they recreated the administrator, i think is was the .asp account which they figured out first.

Permissions were changed and bang, full access.

Thanks for the help, ill have a read but im going to give XP the flick as it tends to be too much securing for my liking. Unix can be a pain in the ass to get setup, but its just soo much easier adding in the things that you want rather than taking them away.

I'm not into learning the registry as there are 32 native register on a computer and i just dont have the time,

Thanks for putting up with the long post.

Gumby