I replied to the list, David, if you want me to reply direct only, let
me know. This exchange show different interesting views of NT security.
<snip>
>>If you type 'netstat /?' at the command prompt, and it'll say "Server
>>side connections not normally shown" for the -a variable. Just to be
<snip>
>I don't think it will show listening ports, but does show connected server
<snip>
It would be nice if 'netstat -a' listed the listening ports on NT. ;)
<snip>
>>protect the open ports first, then study the security of each port,
>>because each service uses a different security mechanism. SMB and
>>the NT logon process cares about the integrated NT security mechanisms,
>>and for initial connection only, but SQLserver and other apps may
>>not care about integrated NT security, and have as an option alternative
>>user authentication systems. I think other kernel resources that
>>don't use a redirector or go through the NETBIOS stack also divert
>>around integrated security.
>
>SQL server (at least MS's) does use integrated NT security. I have no idea
>what "kernel resources" could _possibly_ divert around the OS security given
>that _every_ kernel resource has security attributes, including an ACL.
Yup, SQLserver can use integrated security, but also has other options
to bypass NT security and use other authentication systems. As do other
apps like IIS. Exchange is the one app that can't bypass NT security, as
far as I know.
An SMB Session does not use NT security, the O.S. internally matches the
UID of the SMB session to an access token (The table UID/token table was
built during the first SMB session setup to that particular server). Then
ACLs are used internally against that token assumed to belong to that UID.
Only internally does NT use security access tokens, tokens are never sent
across the net, so unless tokens accompany network traffic, NT security
can't directly control network access. Since NT Security only works
internally by relying on access tokens and ACLs, everything coming in
externally is somehow mapped to an access token of a user, a service,
or privilege.
...(waiting for flames)
Interesting thing happened to me once, tested an NT webserver on a DMZ with
IP as it's own single-host Domain, put a network card with NETBEUI on an
internal
net with a different NT domain on it, and before I could setup a one-way domain
trust relationship, the event log of the new NT4/IIS system started filling
with application-specific license violations of NETBIOS clients belonging
to my other domain to server services on the new system which I didn't intend
to access. NETBEUI issue, unrelated to TCP/IP, but interesting traffic from
an untrusted, separate domain. Might as well have been IP though.
Bill Stout
_______________________________________________________________________________
Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________
|
|
