[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference powdml::pc_security

Title:PERSONAL COMPUTER SECURITY
Notice:SWEEP servers Note 5; more info on www-is-security.mso.dec.com
Moderator:BSS::BOREN
Created:Wed Jan 02 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:504
Total number of notes:2905

492.0. "New Exchange project seems to download a trojan horse.." by FIEVEL::FILGATE (Bruce Filgate SHR3-2/W4 237-6452) Fri Mar 21 1997 18:46

 Late one night as I finished upgrading my office pc to Office 97, I
 decided to go for broke and bring up my OutLook mail box.  Well, I
 logged onto the DIGITAL1 domain ok, but our mailbox/server was off to
 one side so I logged into that domain when requested, where I received
 a surprise download.

 As I understand the explaination of what loaded next, it is required
 of all users that have exchange mailboxes.  This appears to be a 
 MS product with a name like SMS (system management software or such?).
 It appears that when the domain login is in progress from a PC with
 exchange installed, the PC is queried for its hardware/software/license
 inventory which is uploaded, if the upload fails, then the domain 
 server loads the SMS package.  The MS documentation suggests that
 the software is used by remote administrators to enter console commands
 as if the remote individual were sitting in front of the PC.

 Given that DEC used to hold the owner/operator responsible for security on
 their computers, and given that this software at first blush bypasses
 system security, was there a modification in the corporate security
 rules for PCs that I missed?

 How are other users dealing with this new wrinkle and protential 
 security hole?

 And mostly, where can we get more documentation on this software that
 we now have installed on our machines? (I usually read at least the
 release notes!)

 Bruce
T.RTitleUserPersonal
Name		DateLines
492.1I'd also like to turn off Big BrotherKYOSS1::POLAKOWSKIOne of Us is Over 40Mon Mar 24 1997 10:5311
    
    	I too would like to find oout how to disable this "feature".
    	I don't like watching the logon process executing Xcopys
    	and time synching and such without knowing what the hell
        is going on. I'd just as soon have them leave their hands
    	off my PC. If I want to set the time or copy something
    	i'd prefer to do it on my own terms apart from some
    	Big Brother entity.
    
    	Ken
492.2TARKIN::LINBill LinMon Mar 24 1997 11:394
    You have to negotiate this with your IS department.  CCS does not want
    to play "Big Brother."  Talk to CCS if you have concerns.
    
    /Bill
492.3I was told noWHYNOW::NEWMANProtector of the CauseMon Mar 24 1997 14:242
    I have tried to get this "turned off" and was told that it was a
    "corporate policy" and could not be eliminated...
492.4SMS is not the problem, it does exercise a Microsoft security liability thoughFIEVEL::FILGATEBruce Filgate SHR3-2/W4 237-6452Mon Mar 24 1997 15:5724
 Consider, if you will, that SMS gets installed by utilizing a very large
 security hole that Microsoft created.  Some folks probably remember
 that DEC did a similar thing in the earlier days of VMS, networks
 `task' object; once this vulnerability became known to the hackers, no
 VMS system was safe until we fully locked down the `task' object on
 each and every machine.

 If a corporate entity can push a copy of software onto a PC and make
 it run, any other entity can do the same thing.  A case in point is
 those of us who read mail at home: these home machines could be spoon
 fed trojan horse class programs from any ISP.

 The trap door that opens this vulnerability needs a way to be locked,
 presumably there is some software to lock it down? Perhaps in SMS?

 SMS's only security crime in this is that it makes the DEC PC network
 monolithic down, a break-in on one layer of the SMS management lays
 to immediate risk every PC located below the break-in...not good for
 bet-your-business computing.

 Probably time for a good vaccination!

 Bruce
492.5WOOK::ogodhcp-123-40-215.ogo.dec.com::readBob Read @OGO, DTN 276-9715Tue Mar 25 1997 15:0910
SMS utilises the NT logon batch file to do its thing. This is hardly something 
that anyone other than your authentication domain administrator can access.  
As long as your tier 1 authentication domain (for those of us using CCS, 
that's Digital1, Digital2, or Digital3) is not compromised, then you're 
probably safe.

As for SMS' ability to "control" your PC, that requires loading and enabling 
the remote access bits to allow access.  It's not loaded or enabled by 
default, so your machine is safe from remote control unless you go in and turn 
it on.  That requires explicit action on your part.
492.6Some paranoia is healthy.FIEVEL::FILGATEBruce Filgate SHR3-2/W4 237-6452Tue Mar 25 1997 20:4826
>>As for SMS' ability to "control" your PC, that requires loading and
>>enabling the remote access bits to allow access. 

That is what I was told as well, but when I ran SMS and looked at the 
settings, all the boxes appeared to checked to enable them by default.
I will not pretend to understand SMS even a little bit, but it appears
from the MS web page and the set up pages on my PC to be fully enabled.

As to "tier 1 authentication domain...is not compromised", this is not
my area of expertise which is why I do not run with domain login
on my engineering PC.    

Maybe this is a topic that should be very well addressed in either the
exchange class or a recommended follow on?  Perhaps if there were more
information available there would be less (or more?) concern about SMS.

Also a security advisory about the future up loads of SMS would have gone
a long way to asuage anxiety about getting something `squirted'
into my machine when logging on to read mail...pulling the power plug
was tough on the write-back disk cache. 

Perhaps we should not be concerned, but I'm an engineer and as an
engineer I will always want to have/see the data.

Bruce