~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ServerProtect(TM) 5.58 for Windows(TM) NT/2000/2003
Security Patch 4 - Build 1185
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contents
===================================================================
1. Overview of this Security Patch Release
1.1 Files Included in this Release
2. What's New
3. Documentation Set
4. System Requirements
5. Installation
6. Post-installation Configuration
7. Known Issues
8. Release History
9. Contact Information
10. About Trend Micro
11. License Agreement
===================================================================
1. Overview of this Security Patch Release
========================================================================
This security patch addresses buffer overflow vulnerabilities in
ServerProtect modules "EarthAgent.exe", "eng50.dll", "StRpcSrv.dll",
and "StCommon.dll".
1.1 Files Included in This Release
=====================================================================
Module File Name Build No.
NT Server
admin.exe 5.58 build 1185
adm_enu.dll 5.58 build 1185
AgentClient.dll 5.58 build 1185
AgRpcCln.dll 5.58 build 1185
cert5.db
ciussi32.dll 2.0 build 1026
EarthAgent.exe 5.58 build 1185
Eng50.dll 5.58 build 1185
EventMsg2.dll 5.58 build 1185
Logdb.dll 5.58 build 1185
LogDbTool.dll 5.58 build 1185
LogViewer.exe 5.58 build 1185
LogMaster.dll 5.58 build 1185
Notification.dll 5.58 build 1185
Patch.exe 2.80 build 2014
patchbld.dll 5.1.0.0
Patchw32.dll 5.1.0.0
ScanNow.exe 5.58 build 1185
SpntSvc.exe 5.58 build 1185
Spuninst.exe 5.58 build 1185
StCommon.dll 5.58 build 1185
StHotfix.exe 5.58 build 1185
Stopp.exe 5.58 build 1185
StRpcCln.dll 5.58 build 1185
StRpcSrv.dll 5.58 build 1185
StUpdate.exe 5.58 build 1185
TmEng.dll 6.80 build 1034
Tmnotify.dll 1.0 build 1185
Tmopp.dll 5.58 build 1063
TmRpcSrv.dll 5.58 build 1185
Tmupdate.dll 2.80 build 2014
SP5NSLST.ini
TSC.ini
x500.db
hotfix.ini
tmsp.mib
NetWare Server
lprotect.nlm 5.58 build 1185
pscan.nlm 5.58 build 1185
CM Agent Files
EN_Utility.dll 1.0 build 1355
Entitymain.exe 1.0 build 1367
LibEN_CM.dll 1.0 build 1364
libEN_Logger.dll 1.0 build 1367
libEN_Product.dll 2.52 build 1053
xerces-c_1_7_0.dll 1.7
2. What's New
========================================================================
This security patch addresses buffer overflow issues for the
following RPC function calls:
- RPC call to function RPCFN_CMON_SetSvcImpersonateUser (in module
stcommon.dll)
- RPC call to function RPCFN_OldCMON_SetSvcImpersonateUser (in
module stcommon.dll)
- RPC call to function RPCFN_EVENTBACK_DoHotFix (in module
earthagent.exe)
- RPC call to function CMD_CHANGE_AGENT_REGISTER_INFO (in module
earthagent.exe)
- RPC call to function RPCFN_ENG_TakeActionOnAFile (in module
eng50.dll)
- RPC call to function RPCFN_ENG_AddTaskExportLogItem (in module
eng50.dll)
- RPC call to function RPCFN_ENG_TimedNewManualScan (in module
StRpcSrv.dll)
- RPC call to function RPCFN_SYNC_TASK (in module StRpcSrv.dll)
- RPC call to function RPCFN_SetComputerName (in module
StRpcSrv.dll)
- RPC call to function RPCFN_ENG_NewManualScan (in module
StRpcSrv.dll)
- RPC call to function NTF_SetPagerNotifyConfig (in module
Notification.dll)
3. Documentation Set
========================================================================
4. System Requirements
========================================================================
No special requirements for installing this security patch.
5. Installation
========================================================================
To install this security patch:
1. Copy the file "spnt_558_win_en_securitypatch4.exe" to a temporary
folder on the ServerProtect Information Server.
2. Ensure that the ServerProtect Management console is not open.
3. Open "spnt_558_win_en_securitypatch4.exe" and follow the
instructions to install the patch. The Information Server will
deploy the patch to NT Normal Servers 30 seconds after the
installation is complete, and then it will restart the
ServerProtect services.
Note: If the installation does not complete successfully, review the
file "TMPatch.log" in the system root folder before contacting
technical support.
To roll back to the previous build:
1. Before you can roll back, run the following shell commands to stop
all ServerProtect services:
net stop spntsvc
net stop earthagent
net stop "TrendMicro Infrastructure"
2. You can find the backup files with the file extension "bak" in the
the ServerProtect home directory. To roll back, just rename the
backup files and use them to replace the current files.
3. After the rollback, run the following commands to start the
ServerProtect services:
net start spntsvc
net start earthagent
net start "TrendMicro Infrastructure"
6. Post-installation Configuration
========================================================================
No post-installation configuration needed for this patch.
Note: Trend Micro recommends that you update your scan engine and
virus pattern files immediately after installing this patch.
7. Known Issues
========================================================================
This release has the following known issues:
7.1 You must close the Management Console before applying this patch.
Otherwise, the patch installation will not be successful.
7.2 You cannot install the ServerProtect Normal Server and an
OfficeScan(TM) client on the same computer.
7.3 After this patch is applied, the pattern update progress bar may
not accurately reflect the actual progress.
Sophos Mobile Security for Windows Mobile release notes
-------------------------------------------------------
Product version 1.0.0, February 2008
Copyright 2008 Sophos Group. All rights reserved.
Contents
--------
About Sophos Mobile Security for Windows Mobile
New in this version
Known issues
Additional information
System requirements
Technical support
About Sophos Mobile Security for Windows Mobile
-----------------------------------------------
Sophos Mobile Security for Windows Mobile protects Windows Mobile 6
and Windows Mobile 5.0 devices from mobile viruses and spyware.
New in this version
-------------------
This is the first release of Sophos Mobile Security. It provides the
following key features:
* Detects Windows Mobile and Symbian mobile malware.
* Scans on access, on demand and allows setting of scheduled scans.
* Quarantines malware with disinfect, delete and release options.
* Reports infections with email alerts.
* Updates automatically direct from Sophos via HTTP.
* Software can be configured and locked down prior to installation with simple
administrator tool.
Known issues
------------
* Sophos Mobile Security is known to conflict with Trust Digital Mobile Edge
Device Security. The Trust Digital device software and Sophos Mobile
Security cannot function at the same time on an individual device.
* Sophos Mobile Security can only be used on Windows Mobile 6 devices in 96
dpi screen mode.
* Sophos Mobile Security has not been tested with Windows Vista Device
Manager.
Additional information
----------------------
* Sophos Mobile Security must be installed to device storage memory, not a
storage card.
* Malware designed for desktop-based operating systems such as Windows
98/2000/2003/XP/Vista will not be detected.
System requirements
-------------------
Sophos Mobile Security for Windows Mobile
-----------------------------------------
* Supported platforms
Windows Mobile 6 Professional Edition
Windows Mobile 6 Classic Edition
Windows Mobile 5.0 Pocket PC Edition
Windows Mobile 5.0 Pocket PC Phone Edition
The following platforms are not currently supported:
Windows Mobile 6 Standard Edition
Windows Mobile 5.0 Smartphone Edition
* Storage space
5 MB free storage space
Sophos Mobile Security Configuration Tool
-----------------------------------------
* Operating system requirements
Windows 2000 Professional/Server (SP4)
Windows XP Professional (SP2)
Windows 2003 Server (SP1)
* Disk space
5 MB free disk space
Technical support
-----------------
For technical support, visit www.sophos.com/support.
If you contact technical support, provide as much information as possible,
including the following:
1. Sophos software version number(s)
2. Operating system(s) and patch level(s)
3. The device on which the problem was found
4. The exact text of any error messages you may have received
Release date: February 18, 1999
Application: Microsoft Windows NT 4.0
Severity: any local user can gain administator privileges
and/or take full control over the system
Author: dildog@l0pht.com
URL: http://www.L0pht.com/advisories.html
---
Overview :
---
Microsoft Windows NT 4.0 implements a system-wide cache of
file-mapping objects for the purpose of loading system dynamic link
libraries (DLLs) as quickly as possible. These cache objects, located in
the system's internal object namespace, are created with permissions such
that the 'Everyone' group has full control over them. Hence, it is
possible to delete these cache objects and replace them with others that
point to different DLLs.
When processes are created, the loader maps/loads the loading
executable's imported DLLs into the process space. If there is a DLL cache
object available, it is simply mapped into the process space, rather than
going to the disk. Hence, there is an exploitable condition, when a
low-privilege user replaces a DLL in the cache with a trojan DLL, followed
by a high-privelege account launching a process. The high priveleged
process will map in the trojan DLL and execute code on behalf of the low
privelege use r.
---
Affected systems:
---
Windows NT 4.0 Server SP4
Windows NT 4.0 Workstation SP4
Other service packs are likely to be vulnerable, but the exploit has
not been tested on them, neither has the fix presented below.
---
Description :
---
The Windows NT object namespace is the place where the kernel
keeps the names of mutexes, semaphores, filemapping objects, and other
kernel objects. It is organized hierarchically, like a directory
structure. Amongst the directories are:
Device
BaseNamedObjects
Driver
KnownDlls
...
The NT object namespace is browsable with a tool called 'WinObj
2.0' from System Internals (their website is http://www.sysinternals.com).
You may wish to look around this namespace and browse the default
permissions of objects. It is quiet entertaining, really.
The "Knowndlls" directory contains a list of DLLs in the
c:winntsystem32 directory, like:
KnownDllsCOMCTL32.dll
KnownDllsMPR.dll
KnownDllsadvapi32.dll
KnownDllskernel32.dll
..
All of these objects are created at boot time, and are 'permanent
shared objects'. Normally, users can not create permanent shared objects
(it's an advanced user right, and it is normally not assigned to any
group, even Administrators). But the system pr eloads this cache for you.
Permanent shared objects differ from regular shared objects only in the
fact that they have a flag set, and an incremented reference count, such
that if you create one, and then terminate the creating process or close
all handle s to the object, it does not disappear from the object space.
To exploit the poor permissions on this cache, one first needs to
delete one of the shared objects by name, in order to later replace it. So
we make a call to the NTDLL.DLL native function "OpenSection()", getting a
handle to the object. Then we call the
NTOSKRNL.EXE native function "ZwMakeTemporaryObject()" which removes the
'permanent' flag and decrements the reference counter from the object. Now
we just call NTDLL.DLL:NtClose() on the handle and it is destroyed.
To create a section, one calls NTDLL.DLL:CreateSection(), which is
undocumented. There are other calls one needs to make in order to set up
the object and open the KnownDlls directory, but they are trivial and will
not be discussed here. Feel free to bro wse the source code presented at
the end of this advisory to see what you need to do though. Anyway, you
create a section (aka file-mapping) object that points to a trojan DLL. A
good candidate for DLL trojan is KERNEL32.DLL, since it is loaded by
pretty much every executable you're going to run.
Note that any DLL cache objects you create as a user can not be
'permanent', hence, when you log out, the cache object _will_ disappear.
So how can we get a higher privelege process to run while we're logged in?
There are many ways. We can wait for an 'A t' job to go off, or we can set
up the DLL hack as an 'At' job that goes off when someone else is logged
in. But more reliable is this:
When a new Windows NT subsystem is started, it creates a subsystem
process to handle various system details. Examples of these processes are
LSASS.EXE and PSXSS.EXE. The PSXSS.EXE is the POSIX subsystem. But since
no one ever really uses the POSIX subsys tem under NT. So, chances are, it
won't be loaded into memory yet. Once it is, though, it's loaded until the
machine reboots. If it loaded, reboot the machine, and it won't be  .
So, we launch our DLL cache hack, and then run a POSIX subsystem
command, thus launching PSXSS.EXE (which runs as 'NT AUTHORITYSYSTEM',
the system account), and running our DLL with local administrator
privileges. Incidentally, other subsystems have the
same effect, such as the OS/2 subsystem (the only other one that probably
isn't started yet).
---
Workarounds/Fixes:
---
I developed a patch for this security problem in the form of a
Win32 Service program that can be installed by the Administrator of the
system. It sets itself to run every time the system is started, and before
the user has the opportunity to start a program, it adjusts the
permissions of the DLL cache to something much safer. The source code for
t his service is also provided, along with a compiled version. Links to
the programs can be found at http://www.l0pht.com/advisories.html.
One can verify the validity of the patch by downloading the WinObj
v2.0 tool from System Internals (www.sysinternals.com) and inspecting the
permissions of the KnownDlls directory, and the section objects within it.
Microsoft has been sent a copy of this advisory, and I would
expect a hotfix from them at some point in the near future.
---
Example :
---
I wrote up a trojan to test exploitability, and it was a simple
'forwarder' DLL that had the same exported names as KERNEL32.DLL, but a
different 'DllMain()' function, to be called when the DLL is loaded. The
function calls in my trojan, simply forward o ff to the real KERNEL32.DLL
calls located in a copy of the kernel that you make in 'REALKERN.DLL' in
the c:temp directory.
To try out this vulnerability, obtain an account as a
low-privilege guest user (referred to as 'Dick') and do the following:
1. Log in as Dick at the console.
2. Start up two "cmd.exe" shells. Do the following in one of them.
3. Copy c:winntsystem32kernel32.dll to c:temprealkern.dll
(The egg dll is hard coded to use the c:temp directory to find this file.
If you can't put it in c:temp, then modify the source '.def' file to
point to a different location and recompile eggdll.dll)
4. Copy the provided hackdll.exe and eggdll.dll to c:temp
5. Ensure that there is no file named c:lockout. If there is,
delete it. The exploit uses this file as a lockfile.
5. Delete the KERNEL32.DLL file-mapping object from the system cache:
c:> cdtemp
c:temp> hackdll -d kernel32.dll
6. Insert the new file-mapping object with:
c:temp> hackdll -a kernel32.dll c:tempeggdll.dll
Don't hit a key in this window after hitting enter.
7. Now move to the other cmd.exe window that you started.
8. Run a POSIX subsystem command. A good way to start it is:
c:temp> posix /c calc
(if you have calculator installed. If not, pick some other program)
9. Now the EGGDLL.DLL will prompt you with a few message boxes:
Say no to the "User is DOMAINDICK, Spawn Shell?" box.
Say no to the "User is [garbage], Spawn Shell?" box.
Say YES to the "User is NT AUTHORITYSYSTEM, Spawn Shell?" box.
Say YES to the "Winsta0" window station message box.
Say YES to the "Desktop" window desktop message box.
You will now see a "System Console" command.com shell open up.
(saying yes to the next 'winlogon' box will give you something
funny when you log out, btw )
10. Now go back to your first cmd.exe window and hit a key to
unpoison the DLL cache.
11. In the System Console window, run the User Manager program,
and modify Dick's account
(or anyone else's for that matter) to your hearts content.
(NT Server) c:winntsystem32> usrmgr
(NT Workstation) c:winntsystem32> musrmgr
---
Source and Compiled Code:
---
Exploit code can be downloaded from L0pht's website at
http://www.l0pht.com/advisories.html. It is available in compiled form,
and in pure source form as two zipfiles. The L0pht patch for this advisory
is also available in both source form and compiled f orm from the same
URL.
dildog@l0pht.com
---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------
----------------------------------------------------------------------------
Date: Fri, 19 Feb 1999 11:23:44 +0000
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
To: BUGTRAQ@netspace.org
Subject: Re: L0pht Security Advisory: Windows NT
Dildog <dildog@L0PHT.COM> writes:
> L0pht Security Advisory
> ---
> Workarounds/Fixes:
> ---
>
> I developed a patch for this security problem in the form of a
> Win32 Service program that can be installed by the Administrator of the
> system. It sets itself to run every time the system is started, and before
> the user has the opportunity to start a program, it adjusts the
> permissions of the DLL cache to something much safer.
Alternatively, you can set
HKLMSYSTEMCurrentControlSetControlSession ManagerProtectionMode=1
and reboot.
Windows NT Tips & Tricks
12 September 1997
Multiple Boot Systems
Most computer users do all of their computing from within a single
operating system, and thus only need a single Windows NT system, but
there are other aspects of a multiple boot system that may be useful
to you. A multiple boot system (meaning you have more than one
operating system you can boot into) can allow you to run a wider range
of programs, and can give you the means for faster and easier disaster
recovery, and greater security.
Second Windows NT System
This is useful for swift recovery of a corrupted system. Normally you
would have to recover through use of an Emergency Repair Disk or, in
extreme cases, through a full reinstallation of Windows NT. Both of
these methods take longer than recovery through a secondary system,
and the full reinstallation will likely lose your registry data and
require reinstallation of your applications. But if you have a
secondary system partition, restoring from backups can be all that you
need to do, especially if your backup package can make a full image
backup.
A second Windows NT system is simply a minimal Windows NT installation
with no optional features, just what you need to boot up and access
files. This would include your backup package so you can run it to
restore the primary system if necessary. When you cannot boot into
your primary system, you boot into this one and use it to repair the
primary. The repair can be done by copying a replacement for a known
bad file, or by restoring from a backup, or (if your backup package
allows it) by reformating the primary system partition and restoring
an image backup. The third option, restoring an image backup,
requires that the secondary Windows NT system be installed into a
separate partition. Ideally it would be on a separate physical disk,
as this would allow you to recover should the hard disk containing the
primary system partition fail. This is probably the best system for
most sites.
The primary system partition should be on a separate hard disk from
the boot partition. The boot partition will also be the secondary
system partition. Then, if the boot partition (or disk) fails, you
can reformat and reinstall your secondary system, and the primary will
be untouched, with no recovery required. If the primary system
partition fails, you can boot to the secondary system and restore the
primary from backup.
DOS
Installing DOS gives you the ability to use tools that may not be
Windows NT compatible. Please be warned that many DOS applications do
not work well with Windows NT; you can corrupt data or crash your
system by running them when you have Windows NT booted. This is
because DOS applications generally are designed under the assumption
that they can use all of the resources of the system; this conflicts
with Windows NT. Many DOS applications do run well under Windows NT,
but before trying one, be sure you have a full backup! A very common
problem is corrupting the data in memory, which is why Windows NT
usually gives you the option of running a DOS application in its own
memory space. Always use this option.
The most common hazard in running DOS applications on a system that
also has Windows NT lies in the long Windows NT filenames. DOS cannot
recognize them, and will truncate them, which may result in the
applications that access those files being unable to find them. You
could get around this under Windows NT 3.51 by simply not using long
filenames, but Windows NT 4.0 uses some long names in the operating
system. If any system files get their names truncated, you may not be
able to bring up Windows NT.
When you are booted to DOS you will not be able to access any NTFS
partitions unless you have a special program to allow NTFS access. I
have heard of such programs, but have never used one. I have not
heard if any are out of beta test, nor do I know how to locate them,
or how safe they are. We do not recommend their use.
Windows
If you have installed DOS, you can also install Windows. Some Windows
applications are not NT compatible, so again, you should have a full
backup before first trying to run one from Windows NT. However,
running Windows application from Windows will not damage your Windows
NT files, except as noted above for DOS.
When defragmenting with Diskeeper for Windows NT, there is a special
hazard to watch for if you run Windows for Workgroups: You must add
the Windows for Workgroups pagefile to the Diskeeper Exclusion List.
If the Windows for Workgroups pagefile is defragmented, it may become
unuseable.
Windows 95
Windows 95 can use the FAT-32 format, which Windows NT does not yet
do, and cannot access NTFS partitions. Many applications that will
run under Windows 95 will not run under Windows NT, and vice-versa.
Aside from these points, I don't know of any incompatibilites between
the two systems.
The Configuration
Now, putting this all together, we can decide what will usually be the
best configuration. Most systems have a built-in boot sequence of A:,
C: (or C:, A:). For these, you should have the Primary Windows NT
System on D:, using the NTFS format, and the Secondary Windows NT
System on C:. C: should be NTFS format (for security) unless you are
using another operating system (DOS, Windows, Windows 95). Then C:
must use the FAT format because DOS and the DOS-based systems do not
support the NTFS format and require that C: be available. Windows NT
does not require that the boot and system partitions be the same, so
it will boot perfectly well from D:.
Putting the Primary Windows NT system on an NTFS format device means
you will be able to take advantage of all of the Windows NT security,
which is not available on a FAT format partition; it will be that much
harder for a criminal to get past your security setup. Having the
Windows NT system partition not the same as the boot partition gives
you an easier recovery path in the event of a boot partition failure,
as described under Second Windows NT System.
If your system allows a boot from a device other than A: or C:, you
can make that other device a secondary boot partition. If your BIOS
setup allows you to specify the bootable hard device (say, C: or D:),
you can use C: for your primary bootable NTFS format system partition,
then, for a recovery system, change the boot device to D: and make
that a bootable partition.
Who should read this document: Customers who use Microsoft® Windows®
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: The security update for Windows NT Server 4.0 Terminal Server Edition Service Pack 6 requires, as a prerequisite, the Windows NT Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To download the SRP, visit the following Web site. You must install the SRP before you install the security update that is provided in this security bulletin. If you are not using Windows NT Server 4.0 Terminal Server Edition Service Pack 6 you do not need to install the SRP.
Tested Software and Security Update Download Locations:
Affected Software:
•
Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update
•
Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update
•
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update
•
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update
•
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update
•
Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update
•
Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update
•
Microsoft Windows Server™ 2003 – Download the update
•
Microsoft Windows Server 2003 64-Bit Edition – Download the update
•
Microsoft NetMeeting
•
Windows NT Security Check Part II
=================================
Introduction
------------
In Part I of "Windows NT security Check" I explained some basic things about User accounts
and Logging options. In this part I'll try to explain varius Groups and User rights. Please
note that any of the topics provided in these articles can be discussed on our webboard
located at http://net-security.org/webboard.htm
Groups
------
The membership of groups should be carefully evaluated. A group that is granted
permissions to sensitive files might contain users that should not have that access.
Open each group listed in the User Manager and inspect its members.
- Carefully evaluate the members of management groups such as Administrators, Server
Operators, Account Operators, Backup Operators, and Print Operators. Remove all
unnecessary accounts.
- Make sure that all administrative users have two accounts: one for administrative
tasks and one for regular use. Administrators should only use their administrative
accounts when absolutely necessary.
- Evaluate each global group membership and the resources that the group has access to.
Does the group have access in other domains?
- What folders and files do groups have permission to access?
- Do local groups hold global groups from other domains? Check the membership of these
global groups and make sure that no users have unnecessary access to resources in the
current domain
The Administrator Account and Administrators Group
--------------------------------------------------
The Administrator account and Administrators group have unlimited rights on the system.
Therefore, you need to carefully evaluate the membership of the Administrators group
and take care of some other housekeeping related to the Administrator account:
- If you are taking over the management of an existing system, you should change the
Administrator account name and password immediately. You do not know who might have a
password that would give them access to the account.
- The Administrator account is often the target of attacks because of its well-known name.
You should rename the Administrator account to an obscure name and create a "decoy"
account called "Administrator" with no permissions. Intruders will attempt to break in
to this decoy account instead of the real account.
- Enable failed logons in the auditing system to detect attempts to log on to any account,
including Administrator.
- Look for unnecessary accounts that have Administrator status. Perhaps an intruder has
created such an account as a backdoor into the system.
The Administrators group has "Access this computer from network" right, which you can
block to prevent account hijacking or unauthorized activities. Without this right,
administrators must log on at the computer itself in a controlled environment to do any
administrative tasks. You will also need to remove the right from the Everyone group then
add back in accounts that are allowed to log on from network.
The Guest Account and Everyone Group
------------------------------------
Most administrators agree that it should be disabled, although removing it remove the
ability of anonymous users to access a system. If You decide to enable guest account
consider creating a separate domain for these public services where the Guest account
is enabled. Alternatively, use a Web server for this type of system.
- Users who log on as guests can access any shared folder that the Everyone group has
access to (i.e., if the Everyone group has Read permissions to the Private folder,
guests can access it with Read permissions).
- You don't know who Guest users are and there is no accountability because all guests
log in to the same account.
- If you have Microsoft Internet Information Server software installed, a special Guest
account called IUSR_computername exists with the rights to log on locally. Remove this
account if you don't want the general public to access your Web server. Users must then
have an account to access the Web server.
User rights
-----------
In the User Manager for Domains, check the rights that users and groups have on the
system. Choose User Rights from the Policies menu to display the User Rights Policy
dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the
Show Advanced User Rights option. Here are some considerations for basic rights:
- Access this computer from the network
By default, only the Administrators and the Everyone group have this right. Remove
the Everyone group (why would you want everyone to access this server from the network
if you are interested in security?), then add specific groups as appropriate. For
example, create a new group called "Network Users" with this right, then add users who
should have network access.
- Backup files and directories
User's with this right can potentially carry any files off-site. Carefully evaluate which
users and groups have this right. Also evaluate the Restore files and directories right.
- Log on locally
For servers, only administrators should have this right. No regular user ever needs
to logon directly to the server itself. By default, the administrative groups
(Administrators, Server Manager, etc.) have this right. Make sure that any user who is
a member of these groups has a separate management account.
- Manage auditing and security logs
Only the Administrators group should have this right.
- Take ownership of files or other objects
Only the Administrators group should have this right.
Scan all the advanced rights to make sure that a user has not been granted rights
inappropriately.
Files, Folders, Permissions and Shares
--------------------------------------
This discussion assumes that you are only using NTFS volumes on your servers. Do not
use FAT volumes in secure installations.
To check permissions on folders and other resources, you must go to each resource
individually to review which users and groups have permissions. This can be a
bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility.
To open the Permissions dialog box for a folder or file, right-click it and choose
Properties, then click either the Sharing or the Security tab. The Sharing options
show who has access to the folder over the network. The Security tab has the Permission
and Auditing buttons so you can check local permissions or set auditing options.
Start your evaluation with the most sensitive and critical folders if you are doing
this procedure manually or performing a periodic checkup. Take care to do the following:
- Check each folder and/or file to determine which local users and groups have access
and whether that access is appropriate.
- Check all shared folders and the share permissions
on those folders to determine which network users and groups have access and whether
that access is appropriate.
- Program files and data files should be kept in separate folders to make management
and permission setting easier. Also, if users can copy files into a data folder,
remove the Execute permission on the folder to prevent someone from copying and
executing a virus or Trojan Horse program.
- Separate public files from private files so you can apply different permission sets.
- If users or groups have access to a folder, should they have the same access to
every file in the folder? To every subdirectory? Check the sensitivity of files and
attached subdirectories to evaluate whether inherited permissions are appropriate.
- Keep in mind that the Everyone group gets Full access by default for all new folders
you create. To prevent this, change the Everyone group's permission for a folder,
then any new subdirectories you create will get the new permission settings.
- If the server is connected to an untrusted network such as the Internet, do not
store any files on the server that are sensitive and for in-house access only.
- Never share the root directory of a drive or one of the drive icons that appears in the
graphical display. An exception would be sharing a Read Only CD-ROM drive for public
access.
- For sensitive, password protected directories, enable Auditing. Right-click a folder,
click Security, then click Auditing and enable Failure to track users that are attempting
unauthorized access a folder or file. Note that File and Object access must be enabled
from the Audit Policies menu in the User Manager, as described later.
- Use encryption wherever possible to hide and protect files. Mergent
(http://www.mergent.com/) and RSA Data Systems (http://www.rsa.com/) provide encryption
software for this purpose.
You can remove Everyone's access to an entire folder tree by going to the root of the
drive, changing the permissions, and propagating those permissions to subdirectories.
Do not do this for the systemroot folder (usually C:WINNT). You must manually update
Everyone's right there.
Virus and Trojan Horse Controls
-------------------------------
Viruses are a particularly serious problem in the network environment because the client
computer can become infected, transferring the virus to server systems. Other users may come
into contact with infected files at the server. Evaluate and set the following options:
- Program directories should have permissions set to Read and Execute (not Write) to
prevent a virus from being written into a directory where it can be executed. To install
programs, temporarily set Write on, then remove it.
- Install new software on a separate, quarantined system for a test period, then install
the software on working systems once you have determined that it is safe to run.
- Public file sharing directories should have the least permissions possible, i.e., Read
Only, to prevent virus infections.
- If a user needs to put files on your server, create a "drop box" directory that has
only the Write permission. Check all new files placed in this directory with a virus
scanner. Implement backup policies and other protective measures.
- Educate and train users.
- Check the Symantec (<http://www.symantec.com/>) site for interesting papers on
Windows NT-specific virus issues.
Auditing and Event Logs
-----------------------
Check the status of audit settings by choosing Audit on the Policies menu in the User
Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect
the minimum settings that are appropriate for auditing in most environments. Keep in mind
that auditing too many events can affect a system's performance.
Protect auditing and security logs from other administrators who might change or delete
them. You can grant only the Administrators group the ability to access the logs. To
restrict access to only one user (the "auditor"), remove all users except the auditor
from the Administrators group. This means all of your other administrators should be
members of a management group that does not have the "Manage auditing and security log"
right.
Check for failed logons in the Event Viewer. You can enable security auditing for logon
attempts, file and object access, use of user rights, account manage- ment, security
policy changes, restart and shutdown, and process tracking.
Backup
------
Backup policies and procedures are essential. In your evaluation, determine which users
belong to the Backup Operators group. Carefully evaluate if you trust these users. Backup
operators have the ability to access all areas of the system to back up and restore files.
Members of the Backup Operators group should have special logon accounts (not regular user a
ccounts) on which you can set logon restrictions. If Joe is the backup operator, he should
have a regular logon account for his personal activities and a special logon account for
backing up the system. Set restrictions on the backup account, then set restrictions that
force Joe to log on from a specific system only during appropriate hours. Change, with
frequency, the name and password of the account to guard against hijacking.
- Review the backup policies. Is the backup schedule appropriate? Are files safely
transported to secure backup locations? How might backup compromise the confidentiality
of files?
- View the Event Log to audit backup activities.
Final conclusion
----------------
Well, I hope that this articles gave You some basic info how to administrate Youre Windows NT
server. For more info I recomend reading the following books:
- Inside Windows NT Server 4 : Administrators Resource Edition
<http://www.amazon.com/exec/obidos/ASIN/1562057278/netsecurity>
This national bestseller has been updated and expanded to cover the most talked-about
Windows NT-related technologies and the latest information on Windows NT Server 4. Aimed
at network administrators, consultants, and IT professionals, this book provides invaluable
information to help you get up and running. Written by experts, this comprehensive book
takes you through the ins and outs of installing, managing, and supporting a Windows NT
network - with efficiency. Loaded with tutorials and organized as a reference, it's the
perfect resource for new administrators who need to get up to speed quickly, as well as
technically savvy and experienced administrators who just need to locate the most essential
information - without reading every page.
- Essential Windows NT System Administration
<http://www.amazon.com/exec/obidos/ASIN/1565922743/netsecurity>
Essential Windows NT System Administration helps you manage Windows NT systems as
productively as possible, making the task as pleasant and satisfying as can be. It
combines practical experience with technical expertise, helping you to work smarter
and more efficiently. It covers not only the standard utilities offered with the Windows
NT operating system, but also those from the Resource Kit, as well as important commercial
and free third-party tools. It also pays particular attention to developing your own
tools by writing scripts in Perl and other languages to automate common tasks. This book
covers the workstation and server versions of Windows NT 4 on both Intel and Alpha
processor-based systems.
- Microsoft Windows NT 4.0 Security, Audit, and Control
<http://www.amazon.com/exec/obidos/ASIN/157231818X/netsecurity>
This "Security Handbook" is the official guide to enterprise-level security on networks
running Microsoft Windows NT Server 4.0 Written in collaboration between Microsoft and
MIS professionals at Coopers & Lybrand, here is the essential reference for any Windows
NT Server 4.0-based network.
This is only a small amount of book concerning Windows NT security and administration. You
can find more books on Windows NT at our online bookstore <http://net-security.org/books/>
Default newsletter (http://default.net-security.org)
Project Descriptive Name: TWEAK for Windows
Project UNIX Name: tweak
Project Description: Tweaks the Windows 2000 user interface and system; configures applications; manages icons, file permissions and associations, applying such changes in convenient
chunks, for better performance, usability and security
Registration Description:
The Windows Environment and Application Konfigurator (TWEAK)
Windows' default configuration can be much improved upon in terms of performance, usability and security. Configuring Windows and software applications can
be time consuming, especially if you manage a lot of computers.
This program tweaks the Windows user interface and system configuration; configures applications; and manages icons, file permissions and associations by
making automated changes to the Windows registry and file system, in accordance with our document on Configuring Windows 2000 for Performance, Usability
and Security (http://thegoldenear.org/toolbox/windows/docs/windows/win-nt-config.html), applying settings in convenient chunks defined by subject and
context.
The major features included in the software:
- Windows configuration
- Application configuration
- Icon management
- Backup and recovery
- Driver configuration
- file and directory permissions (ACLs) for mail-server
The Windows configuration section in particular includes these options:
- System file cleanup - remove, re-organise and quarantine files
- Create new system directory structure on D:,E:,F:
- Configure Windows to use new directory structure on D:,E:,F:
- Configure general Windows system and interface on this machine
- Replace %SYSTEMDRIVE%BOOT.INI (assumes ATA/IDE HDD, Windows on partition 1!)
- per-machine manual settings we haven't been able to automate yet
- Clean up current user's file and directory structure
- Create a new directory structure for current user on D:,E:,F:
- Configure current user's Windows system to use D:,E:,F:
- Configure current user's Windows interface
- Configure current user's Internet Explorer interface and security
- per-user manual settings we haven't been able to automate yet
Among the many items we want to add, important ones are increasing Windows' security and adding full Windows XP compatibility.
Perl syntax
===========
Use Q and E to backslash all nonalphanumeric characters between them.
i.e. perl -pi.bak -e "s/Q$ENV{TEMP}E/PUT_USER_TEMP_LOCATION_HERE/gi"
but note the potential problem doing this in Windows XP Home
Reg.exe syntax
==============
[-HKEY_CLASSES_ROOT.abc]
key .abc will be removed and
[HKEY_CLASSES_ROOT.abcdTest]
"Testing"=-
value Testing will be removed but not the key
------------------------------
different syntax when using inserting an environment variable into the registry, rather than the translated variable, with REG ADD,
where from the command-line E:%"USERNAME"%WINNT would work, from within a batch file it inserts E:\WINNT into the registry,
so you have to use E:%%USERNAME%%WINNT
rem for more extreme security, remove the ability to change the feature either way
rem (requires a reboot)
reg add HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU /v NoAutoUpdate /t REG_DWORD /d 00000001 /f
reg add HK /v /t REG_ /d /f
------------------------------
"Entrée REG_SZ"="Bla bla bla"
"Entrée REG_DWORD"=dword:00000040
"Entrée REG_BINARY"=hex:01,00,01,00
"Entrée REG_EXPAND_SZ"=hex(2):30,31,32,33,00
"Entrée REG_MULTI_SZ"=hex(7):30,31,32,33,00,00,00
hex(2) - REG_EXPAND_SZ
hex(7) - REG_MULTI_SZ
------------------------------
It appears the only difference between .reg version 4 and version 5 files are the header:
'Windows Registry Editor Version 5.0' and 'REGEDIT4' and that version 4 is saved in ANSI, version 5 in Unicode.
Presumably Windows 2000 will import version 4
'if exist' syntax
=================
in some cases have to put ( and ) within "" if use them within an 'if ... ( ...' statement
see win config's 'O' for example of both having to and not having to, but "" isn't the right
character to escape a ( as it works but it prints the "" to the screen
Setting file type associations - various notes
==============================================
for information on setting file types, including resetting .bat, .exe, etc:
http://personal.cfw.com/~tkprit/ui/re_types.html
the RK's associate wipes out any open/view/etc present that you don't define
the RK's associate should instead use a syntax like this, tho it doesn't add the "" around the program name;
note that it adds the %1 itself, but again not within ""
'associate .doc ""%PROGRAMFILES%Openofficeprogramsoffice.exe" -o" /f'
the RK book doesn't even describe Associate
0.2 - 11 April 2003
- changed all OpenOffice types to use new syntax
- an original has options for open, new, print, etcetera and uses this syntax:
"C:programsOpenofficeprogramsoffice.exe" -o "%1"
with -n for new, -o for open, etcetera
- %1 is applied without us specifying it. if you want the -o you have to add it with ""
but it still doesn't come out looking like ...exe" -o "%1"
- this method doesn't put a title in either
Notes:
- If an audio editor is installed, such as Audacity or Cool Edit, they should take .WAV
- Leave images to load in IrfanView even if image editing software is installed
- Quark files may want to load in the PageMaker Quark converter
associated registry settings:
User Key: [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer]
System Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer]
Value Name: NoFileassociate
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = buttons enabled, 1 = buttons disabled)
http://www.ultratech-llc.com/kb/asp/fileview.asp?file=/kb/assoc.txt
http://www.xs4all.nl/~wstudios/Associate/ - but its a GUI tool
HKEY_LOCAL_MACHINESOFTWAREClasses - global file type associations
HKEY_CURRENT_USERSOFTWAREClasses take precedence in the event of a duplication
The user interface (UI) still points to the global settings in the HKEY_LOCAL_MACHINESOFTWAREClasses
Cannot Run Applications after Making File Association - http://support.microsoft.com/?KBID=163017
The setting of an application overrides the settings specified for the file type. File type and class settings are valid for all users of the
workstation,
the association between extension and application are only valid for the current user. The associations are stored in
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts and the applications themselves are stored in the key
HKEY_CLASSES_ROOTApplications.
Windows stores the extension in its registry in the key HKEY_CLASSES_ROOT.extension, creates a file type and stores it with description, selected
program
and optional icon in the key HKEY_CLASSES_ROOTGeneratedFileTypeName. From now on it tries to use this program when handling files with this extension.
Setting System Environment Variables
====================================
use either:
reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironment" /v "PML" /t REG_EXPAND_SZ /d "\mail-servermaildistribution-lists" /f
setx PML "\mail-servermaildistribution-lists" -m
Setting ACLs / permissions
==========================
We use SIDs to reference groups, such as:
Administrators group: S-1-1-0
Everyone: S-1-1-0
See the list at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
where the mail ACLs are set using:
SetACL -on "E:mail" -ot file -rec cont_obj -actn ace -ace "n:S-1-5-32-544;p:full;s:y;m:grant;w:dacl"
they could alternatively be set using:
cacls "mail" /e /g administrator:F
cacls "mail*.*" /t /e /g administrator:F)
and so:
SetACL -on "E:mail" -ot file -rec cont_obj -actn ace -ace "n:S-1-1-0;s:y;p:write;m:set;w:dacl"
xcacls "E:mail" /e /p everyone:W
xcacls "E:mail*.*" /t /e /p everyone:W)
SetACL -on "E:mail%user%" -ot file -rec cont_obj -actn ace -ace "n:%user%;p:full;m:set;w:dacl"
xcacls "E:mail%user%" /e /g %user%:F)
xcacls "E:mail%user%*.*" /e /g %user%:F)
Syntax for menu options when setting file type associations
===========================================================
rem menu options translator:
rem O__ - Ofice suite
rem W__ - web
rem I__ - image
rem T__ - plain text
rem A__ - audio
rem V__ - video
rem P__ - PDF/PS
rem _O_ - Open (double-click)
rem _E_ - Edit (right-click and edit)
rem _P_ - Print (right-click and print)
rem __O - OpenOffice
rem __F - Firebird
rem __M - Mozilla
rem __I - IrfanView
rem __N - NoteTab
rem __Z - Zinf
rem __V - VideoLan
rem __G - GIMP
rem __GS - Ghostscript
rem __AU - Audacity
rem __MO - Microsoft Office
rem __AR - Acrobat Reader
rem __AW - Acrobat
rem __AA - Adobe Audition
rem files can Open in one program and Edit in another. We use the icon for the Opening program
unzip32 syntax
==============
- '-o': overwrite without prompting; -d: extract to this directory
- unzip32 can't use -v for verbocity as it then says its ignoring the -d. is this a bug?
- unzip32 replaces with / but it still works
- unzip32 can't use "" around file and directory name after -d as it literally includes the ""
but must do around environment variables themselves
- unzip32 needs "" around environment variables themselves in case they contain a space, which causes unzip32 to choke
regfree
-------
regfree -quiet -CheckKey "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU"
if "errorlevel" == "0" (
regfree -quiet -DeleteKey "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU"
regfree -quiet -DeleteKey "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate"
)
Windows Automatic Updates options
---------------------------------
AUOptions = 2 (Degree of user interaction)
1 = Disables AU (Same as disabling it through the standard controls)
2 = Notify Download and Install (Requires Administrator Privileges)
3 = Notify Install (Requires Administrator Privileges)
4 = Automaticly, no notification (Uses ScheduledInstallTime and ScheduledInstallDay)
AUState = 2 (The state of AU for diagnostic)
0 = Initial 24 hour timeout after detecting Internet Connection
1 = Waiting for user to run AU wizard
2 = Detect pending (Looking for new patches)
3 = Download pending (waiting for user to accept pre-download prompt)
4 = Download in progress
5 = Install pending (Waiting for install of downloaded patches)
6 = Install complete
7 = Disabled (AUOptions will also be set to a value of 0x1)
8 = Reboot pending (Waiting for reboot required by installed patches)
Windows Server 2003 Security Guide V1.0
(c) Microsoft 2003
Released April 24, 2003
=================================================================================
Windows Server 2003 Security Guide Download
TechNet: http://go.microsoft.com/fwlink/?LinkId=14845
Download: http://go.microsoft.com/fwlink/?LinkId=14846
The Windows Server 2003 Security Guide provides levels of guidance for a number of server roles in multiple different client environments. This guidance includes steps to harden Domain Controllers, Infrastructure servers, File servers, Print servers, IIS servers, IAS servers, machines running Certificate Services, and bastion hosts.
The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.
=================================================================================
Folder contents of the Windows_Server_2003_Security_Guide.exe:
<Windows Server 2003 Security Guide>
Windows Server 2003 Security Guide.pdf
Chapter 1: Introduction to the Windows Server 2003 Security Guide
Chapter 2: Configuring the Domain Infrastructure
Chapter 3: Creating a Member Server Baseline
Chapter 4: Hardening Domain Controllers
Chapter 5: Hardening Infrastructure Servers
Chapter 6: Hardening File Servers
Chapter 7: Hardening Print Servers
Chapter 8: Hardening IIS Servers
Chapter 9: Hardening IAS Servers
Chapter 10: Hardening Certificate Services Servers
Chapter 11: Hardening Bastion Hosts
Chapter 12: Conclusion
Testing the Windows Server 2003 Security Guide.pdf
Delivering the Windows Server 2003 Security Guide.pdf
Supporting the Windows Server 2003 Security Guide.pdf
Windows Server 2003 Security Guide Release Notes.pdf
<Windows Server 2003 Security GuideTools and Templates>
<Windows Server 2003 Security GuideTools and TemplatesDelivery Guide>
Windows Server 2003 Security Guide Implementation Vision Scope.doc
Windows Server 2003 Security Guide Implementation Functional Specification.doc
Windows Server 2003 Security Guide Implementation.mpp
<Windows Server 2003 Security GuideTools and TemplatesSecurity Guide>
<Windows Server 2003 Security GuideTools and TemplatesSecurity GuideChecklists>
IPSec Filter Network Traffic Maps.xls
PacketFilters-DC.CMD.txt
PacketFilters-DHCP.CMD.txt
PacketFilters-WINS.CMD.txt
PacketFilters-File.CMD.txt
PacketFilters-Print.CMD.txt
PacketFilters-IIS.CMD.txt
PacketFilters-SMTPBastionHost.CMD.txt
<Windows Server 2003 Security GuideTools and TemplatesSecurity GuideSample Scripts>
Domain Checklist.doc
Member Server Baseline Checklist.doc
Domain Controller Checklist.doc
Infrastructure Server Checklist.doc
File Server Checklist.doc
Print Server Checklist.doc
IIS Server Checklist.doc
IAS Server Checklist.doc
Certificate Services Checklist.doc
Bastion Host Checklist.doc
<Windows Server 2003 Security GuideTools and TemplatesSecurity GuideSecurity Templates>
Windows Server 2003 Security Guide Settings.xls
Legacy Client - Domain.inf
Enterprise Client - Domain.inf
High Security - Domain.inf
Legacy Client - Member Server Baseline.inf
Enterprise Client - Member Server Baseline.inf
High Security Client - Member Server Baseline.inf
Legacy Client - Domain Controller.inf
Enterprise Client - Domain Controller.inf
High Security - Domain Controller.inf
Legacy Client - Infrastructure Server.inf
Enterprise Client - Infrastructure Server.inf
High Security Client - Infrastructure Server.inf
Legacy Client - File Server.inf
Enterprise Client - File Server.inf
High Security Client - File Server.inf
Legacy Client - Print Server.inf
Enterprise Client - Print Server.inf
High Security Client - Print Server.inf
Legacy Client - IIS Server.inf
Enterprise Client - IIS Server.inf
High Security Client - IIS Server.inf
Enterprise Client - IAS Server.inf
Enterprise Client - Certificate Services.inf
High Security Client - Bastion Host.inf
<Windows Server 2003 Security GuideTools and TemplatesTest Guide>
Functionality Test Cases.xls
Interoperability Automated Test Cases.xls
Interoperability Test Cases.xls
<Windows Server 2003 Security GuideTools and TemplatesTest GuideTest Scripts>
AdminChangePassword.vbs
AdminFileAccess.vbs
AdminLogon.vbs
AdminPrint.vbs
AdminPrintQueues.vbs
config.ini
DirectoryQuery.vbs
Imp_Read.txt
MSSLog.txt
UserChangePassWord.vbs
UserFileAccess.vbs
UserLogon.vbs
UserPrint.vbs
UserPrintQueues.vbs
Win2kReleaseIPRenewIP.vbs
=================================================================================
TERMS OF USE
We at Microsoft Corporation hope that the information in this download is valuable to you.
This download and all files contained within are subject to Microsoft's standard TERMS OF USE for microsoft.com.
The TERMS OF USE for this download are located at http://www.microsoft.com/info/cpyright.htm
----------------------------------------------------------------------
Remote Administrator for Win9X/ME/NT4.0/2000
Version: 2.1
Copyright (c) 1999-2001 by Famatech LLC
Date: July 24th, 2001
----------------------------------------------------------------------
You can find complete help in 'help.hlp' file
----------------------------------------------------------------------
Radmin
----------------------------------------------------------------------
Contents:
* What is Radmin?
- What makes it different from other systems?
- Features
* System requirements
* Installation
* Radmin Security
* How to contact us
----------------------------------------------------------------------
What is Radmin?
----------------------------------------------------------------------
Radmin is a remote control program that lets you work on another
computer remotely through your own. You see the remote computer's
screen in a resizable window on your own monitor or as the full
screen. Your mouse and keyboard control the remote computer so you
can work on the remote computer just as if you were sitting right at
it.
The remote computer can be anywhere on the Internet or in your local
network. You don't need a fast network connection. Even with a MODEM
the screen update speed is an acceptable 5-10 screen updates per
second. If the remote computer is on your LOCAL NETWORK the typical
speed is from 100 to 500 screen updates per second.
Often while working in Radmin's full-screen mode, you forget that you
are working on a REMOTE computer!
Radmin consists of two parts:
* The server on the remote computer that sends the remote
computer's screen display.
* The client—also called the viewer—that shows the remote screen
display on your own monitor.
To get started you need to run Radmin server on the remote computer.
Then run Radmin client on your own computer. The current version of
Radmin requires a TCP/IP connection between both computers, so you'll
need to set this up if they are not already connected.
----------------------------------------------------------------------
What makes it different from other systems?
----------------------------------------------------------------------
The speed: Radmin is much faster than every other remote control system
available. For example, we tested the widely used VNC (AT&T's Virtual
Network Computing) and found that Radmin is 150 times faster!
Radmin outperforms every other known remote control system, including
pcAnywhere, Timbuktu, Remote Control, LapLink, etc.
The test was performed on:
Server: 800 X 600 65535 colors, running Windows NT 4.0 Service
pack 4
Client: 800 X 600 256 colors, running Windows 95
Ethernet 10 Mbit local network.
----------------------------------------------------------------------
Features
----------------------------------------------------------------------
Run as a Service
Radmin server can work as a SERVICE under Win9X/ME/NT4.0/2000.
This lets you log a user on or off remotely.
Multiple Connections Support
Radmin server supports simultaneous multiple connections to the same
remote screen.
Full-Screen, Scaled and Windowed View Modes
Full-screen mode shows the remote screen full-size on your own monitor
Scaled mode lets you see the remote screen in a window on your monitor
scaled to the remote screen's defined size.
Video Hook Driver Technology is Used
Radmin uses video hook kernel mode drivers under Windows NT to capture
screen changes. This boosts the speed to hundreds of screen updates per
second.
File Transfer
Lets you transfer files easily between computers with Windows Explorer
like interface.
Remote Shutdown
Now you don't have to connect in the Full Control mode.
Telnet Server
Radmin server provides Telnet access to remote computers (except on
Win9x).
Windows NT Security Support
You can allow remote control, remote view, telnet and file transfer
access to specific users or user groups from an NT domain. If a user
logged into a WinNT domain connects to Radmin server, the user's
current username/password are employed by Radmin viewer to authorize
a connection to the Radmin server.
Password Protection
If Windows NT security support is switched off, access to a remote
computer is controlled by a password. Radmin uses a challenge-response
password authentication method based on 128 bit strong encryption.
128 Bit Strong Encryption of All Data Streams.
In the version 2.1 encryption is always enabled, it causes just 5%
performance loss.
IP Filter
Allows an access to the Radmin server only from specified IP addresses
and subnets.
Radmin Supports High-Resolution Modes
Display resolutions up to 2048 X 2048 X 32 bit color are supported by
Radmin.
----------------------------------------------------------------------
System requirements.
----------------------------------------------------------------------
No special requirements for hardware:
If your computer can run Windows 95 or higher, the program will run.
It even runs on a 386 with 8 MB RAM.
NOTE: Radmin still operates successfully when the display, mouse and
keyboard are disconnected from the remote computer, however some
computers do not boot successfully without a keyboard plugged in.
For All Operating Systems (Win9x/ME/NT/2000):
The computer must have TCP/IP installed, the most-used protocol for
networking computers.
Windows NT 4.0:
Service pack 4 or higher is required.
----------------------------------------------------------------------
Installation.
----------------------------------------------------------------------
Two computers need to be connected by TPC/IP, either on a local network
or the Internet.
Radmin must be installed on each computer.
Before Installation For All Users:
Uninstall any earlier version of Radmin, before installing a newer
version.
For Windows 2000 Users:
* You need administrator rights to install Radmin Server as a service.
For Windows NT 4.0 Users:
* You need administrator rights to install Radmin Server as a service
and install the driver.
* Before installing Radmin's video hook driver be sure that any
other Remote Control software that uses video hook driver
technology has been removed.
Running more than one video hook driver can lead to a system crash
while booting.
Sample applications that use a video hook driver: NetMeeting 3.0+,
SMS, Timbuktu.
If a problem occurs while booting with the Radmin driver, you can
press the '1' (number one) key repeatedly during booting and the
Radmin driver will not load.
----------------------------------------------------------------------
Radmin Security
----------------------------------------------------------------------
A lot of attention was paid to security issues in the Radmin design
from the outset. Here are some reasons that Radmin's operations are
completely secure:
* Radmin 2.1 supports Windows NT/2000 user level security. You
can allow remote control to specific users or user groups.
* If Windows NT security support is switched off, access to a
remote computer is restricted by password. Remote Administrator
uses a challenge-response password authentication method. This
method is similar to the authentication method used in Windows
NT, but uses more powerful security keys.
* Remote Administrator has an encrypted mode, where all data,
including screen images, mouse movements and keypresses are
encrypted. 128 bit Twofish encryption is used. Twofish crypto
is distinguished for its combination of speed, flexibility and
conservative design.
* Remote Administrator server has a logging feature. All actions
are written to the log file.
* Remote Administrator server has an IP filter table that
restricts
remote access to IP addresses and networks you specify.
* Remote Administrator has a self testing code defence that
protects the code from being altered.
----------------------------------------------------------------------
How to contact us
----------------------------------------------------------------------
To register, visit our web site (registration page):
http://www.radmin.com/registration.htm
You can download a new version from
http://www.radmin.com/
Tech support e-mail: support@radmin.com
You can find complete help in 'help.hlp' file
----------------------------------------------------------------------
July 24th, 2001
Famatech LLC |
. 
