The Bitter  Network Administrator

A Website Dedicated to Computer Professional...and some not so Professional

Don’t trust those techies, Part 2
by Graham Parks

In Part 1 of this article I told you about the possible dangers of having engineers from outside your company working on your network. Of course, some of them are very good, but do not assume you have a good one until you have checked their work.

This time I want to tell you about something potentially far more serious than the trouble I had with the phone company.

In the summer of 2000 I was working as a contractor for a rapidly expanding company. A brand new database system had been ordered and it duly arrived. A big black IBM box with four Xeon processors, 14 x 9Gb SCSI drives, 1 Gb RAM and a UPS that took two of us to lift. Oooh, new toy to play with!

A day or so later an engineer came from the database company to carry out the final configuration. After several hours he announced that he was finished. My curiosity was immediately aroused. The engineer had spent only a very few minutes with our I.T. manager. How had he configured the required users groups and NTFS permissions? When I had some time with nobody else around I inspected the new database and discovered the answer. ALL share and NTFS permissions were set to Everyone - Full Control. I could not believe they had used the Everyone group for the whole database, even using the Authenticated Users group would have been an improvement. As it was, if anyone managed to access the network then they would have full access to the database, they would not even have to hack into a user account. This amounts to leaving your home with the front door wide open and a big sign outside saying “Come in and help yourself”.

I reported all of this to the I.T. manager who at first, to my dismay, did not seem to realise the size of the problem. I persisted and he contacted the database company. Their answer was “It’s your domain, access permissions are nothing to do with us”. So I asked how we were supposed to know which areas of the database should be set to what level i.e. change, read only or no access. They repeated their original answer. I got a bit annoyed at this point and repeated my question and elaborated a bit in case they had misunderstood my concerns. This time they told us that all the database files were accessed via hidden shares, so no setting of permissions was necessary. Oh really!!!!

I realised then that the database company had little or no understanding of NT4 security or just did not take it seriously. I then got my second big surprise when the I.T. manager agreed with the database company that it was our problem. I tried to object, but as a contractor it really was not my place to take this any further. I had done my job and raised the issue, if the company decided that I was wrong, it was their problem.

A week or so later a user deleted a whole directory full of database script files and a large part of the database stopped working. I did not say, “Told you”, but I did think it. Even this did not make the I.T. manager rethink his position. He may not have wanted to publicly acknowledge his mistake or maybe he still did not realise I was right. Whatever the reason the only action taken was to restore the scripts from the backup tapes and warn the users to be more careful.

For all I know that database is still the same today, wide open to anyone with any level of access to the network.

I think a degree of the blame for this sort of incident must be placed on Microsoft. NT4 in its default “out of the box” state is very insecure. Microsoft made little information easily available on how to secure NT4. Most of what I learnt was from third party sources.

So secure those servers. Remember whose arse will get kicked if you get hacked or something goes wrong. [Sarcasm on] Of course the company I was working for will never get hacked. Those hidden shares will foil attackers completely. [Sarcasm off]