lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F17880A.7040503@telusplanet.net>
From: mckellar at telusplanet.net (Neil McKellar)
Subject: Odd Behavior - Windows Messenger Service

Please be patient with me while I work through this a bit.  I want to be
sure I understand.

In morning_wood's original post, he said:
> Windows? networking ( TCP) and messenger service are both initialized
> before any user/admin login has taken place, and are remotely 
> accessable

He went on to describe getting some Messenger spam before he's even
logged in.  It's true that Messenger is a dog.  And in another message,
morning_wood says:
> my post is in regaurd of Windows Messenger being accessable witthout
> any interactive login to take place

Given what Messenger typically gets used for, I don't think that's a bad
question.

But then we get this, and morning_wood isn't the only one suggesting this:
> imho it is iresponsible default behaivor for a workstation OS to 
> allow remote resources / services / enumeration before any 
> interactive user or administrative login.

So suppose.  You're on a local network with a central authentication
service of some kind.  Maybe it's a Windows domain controller, maybe
it's NIS+, maybe it's Kerberos.  Whatever.

Now, we've decided to follow your advice and *not* enable any remote
resources/services/enumeration before login.  Just to be clear, is there
a TCP stack yet or is this a 'resource' or 'service'?  How do I actually
*do* the login against the remote authentication service without
activating some kind of service before the login?

I'm also curious about what exactly we mean by 'workstation'?  If
'workstation' is a stand-alone computer and necessary peripherals (ie.
hard drive, monitor, etc.), then maybe for some value of "no services"
we can successfully get the user logged in.

If we also inlcude diskless workstations or thin-clients that boot off
the network or terminal clients (X-terminals/Windows Terminal Server),
this becomes much harder.  These machines *need* to be running services
and network connected just to get booted up and display a login prompt.

I'm asking because I want to be clear about what morning_wood and others
are suggesting should be the default.  If I've misunderstood, please
explain yourselves.  I'm just going on what I see here.

If we're actually nitpicking about *which* services should be running,
then I think you're preaching to the choir here. :-)  Yes, a lot of
stuff gets turned on by default that *nobody* needs and certainly not on
a workstation.  True of a lot of Linuxes, Unixes, and Windows boxes.
--
Neil (mckellar@...usplanet.net)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ