trust those techies, Part 2
by Graham Parks
Part 1 of this article I told you about the possible dangers of
having engineers from outside your company working on your network.
Of course, some of them are very good, but do not assume you have a
good one until you have checked their work.
time I want to tell you about something potentially far more serious
than the trouble I had with the phone company.
the summer of 2000 I was working as a contractor for a rapidly
expanding company. A brand new database system had been ordered and
it duly arrived. A big black IBM box with four Xeon processors, 14 x
9Gb SCSI drives, 1 Gb RAM and a UPS that took two of us to lift.
Oooh, new toy to play with!
day or so later an engineer came from the database company to carry
out the final configuration. After several hours he announced that
he was finished. My curiosity was immediately aroused. The engineer
had spent only a very few minutes with our I.T. manager. How had he
configured the required users groups and NTFS permissions? When I
had some time with nobody else around I inspected the new database
and discovered the answer. ALL share and NTFS permissions were set
to Everyone - Full Control. I could not believe they had used the
Everyone group for the whole database, even using the Authenticated
Users group would have been an improvement. As it was, if anyone
managed to access the network then they would have full access to
the database, they would not even have to hack into a user account.
This amounts to leaving your home with the front door wide open and
a big sign outside saying “Come in and help yourself”.
reported all of this to the I.T. manager who at first, to my dismay,
did not seem to realise the size of the problem. I persisted and he
contacted the database company. Their answer was “It’s your
domain, access permissions are nothing to do with us”. So I asked
how we were supposed to know which areas of the database should be
set to what level i.e. change, read only or no access. They repeated
their original answer. I got a bit annoyed at this point and
repeated my question and elaborated a bit in case they had
misunderstood my concerns. This time they told us that all the
database files were accessed via hidden shares, so no setting of
permissions was necessary. Oh really!!!!
realised then that the database company had little or no
understanding of NT4 security or just did not take it seriously. I
then got my second big surprise when the I.T. manager agreed with
the database company that it was our problem. I tried to object, but
as a contractor it really was not my place to take this any further.
I had done my job and raised the issue, if the company decided that
I was wrong, it was their problem.
week or so later a user deleted a whole directory full of database
script files and a large part of the database stopped working. I did
not say, “Told you”, but I did think it. Even this did not make
the I.T. manager rethink his position. He may not have wanted to
publicly acknowledge his mistake or maybe he still did not realise I
was right. Whatever the reason the only action taken was to restore
the scripts from the backup tapes and warn the users to be more
all I know that database is still the same today, wide open to
anyone with any level of access to the network.
think a degree of the blame for this sort of incident must be placed
on Microsoft. NT4 in its default “out of the box” state is very
insecure. Microsoft made little information easily available on how
to secure NT4. Most of what I learnt was from third party sources.
secure those servers. Remember whose arse will get kicked if you get
hacked or something goes wrong. [Sarcasm on] Of course the company I
was working for will never get hacked. Those hidden shares will foil
attackers completely. [Sarcasm off]