Microsoft

Watch out for third-party network protocols

Here's an IT detective story you've got to read. Find out how a serious security hole leads a seasoned IT pro to a Windows 2000 shutdown problem and then to a third-party networking protocol.


Certain applications add third-party network protocols during installation, which can sometimes cause serious problems—even security hazards. I recently discovered an application that was locking up our NT workstations during shutdown. My predecessor had solved the problem by giving all users Domain Admin rights. To me, this was an unacceptable solution, and, with a little work, I was able to solve the problem without compromising security. Here’s how.

What do you mean all users are Domain Admins?
Soon after starting with my current employer, I made the horrifying discovery that all users were members of the Domain Admins group. I immediately asked the other network engineer and the chief technical officer if they knew why this had been done. Unfortunately, the situation predated both of them. The only information that they had was that if the users were removed from the Domain Admins group, they would no longer be able to shut down their computers.

Let’s do a test
Wanting to remedy this security hole quickly, I took one of our fully installed Dell Optiplex G100 Windows NT workstations and created a new user account that was not a member of the Domain Admins group. The account I created (named “Pepsi”) was, as predicted, not able to shut down the machine. The machine hung at the Closing Network Connections prompt. I then added the user to the Domain Admins group, and the machine shut down fine.

Next, I removed the Pepsi account from the Domain Admins group and added it to the Local Administrators group. This also allowed the computer to be shut down. I tested other user groups (Power Users, Print Operators, and Backup Operators), but none of them allowed Pepsi to shut down the machine.

Since the machine was hanging during the Closing Network Connections process, I removed the Ethernet cable and logged in locally. No change. I then tried logging in to a Workgroup instead of a Domain, but there was still no change.

I researched this issue on Microsoft TechNet and Dell’s knowledge base but found no answers.

Exposing the culprit
Finding no quick solutions, I began the arduous task of formatting my test PC and installing our standard applications. After finishing the installation of Windows NT Workstation 4.0 and adding the machine to the Domain, I logged in and was able to successfully shut down. At this point, I knew a piece of our standard software was causing the problem.

I began installing our applications one at a time, rebooting, logging in, and shutting down. When I reached a point where I could no longer shut down the computer, I was able to identify the culprit—Century Software’s Tiny Term Plus 4.4.

My first instinct was to uninstall Tiny Term. I did this but unfortunately was still unable to shut down. After this initial frustration, I went to Century Software’s Web site and searched its Knowledge Base. Almost immediately, I came upon an article that states that NT Workstation cannot shut down with the Century Network File System (NFS) installed—unless the user is a member of the Local Administrators group.

I immediately uninstalled the Century NFS protocol from the computer’s Network properties and the computer shut down correctly. Just to be safe, I rebuilt the machine again, installing Tiny Term without the Century NFS protocol. The machine shut down fine. To test my solution, I went to one of our production boxes, removed the Century NFS protocol, rebooted, logged in as Pepsi, and was able to successfully shut down.

The final solution
Tiny Term allows our users to view billing information, so removing it was not an option. Therefore, the IT staff began an immediate blitz of the company, removing the Century NFS protocol from every PC. As soon as that was over, I had the pleasure of removing the Domain Users group from the Domain Admins group, plugging a very large security hole.

Tell us what you think
Did you find this article helpful? Would you like to see more articles like this one on TechRepublic? Let us know by dropping us a note!

 

Editor's Picks