JRD@cc.usu.edu (Joe Doupnik) (10/25/90)
Has anyone commented on the ability of an ordinary DOS client to execute the StarGROUP DOS Server command SRV and stop the entire server? I pulled the plug on mapping the attutil logical name across the network where this ability is sitting right in the open as SRV.EXE. The trick is to edit the file RULES.LST and remove the last line invoking server file NETSTART.BAT. But this was not quite enough because a user can use Kermit to log into the Unix server and do exactly the same bad things via FACE. Overall this seems to be a cavernous security hole. Joe D.
jbreeden@netcom.UUCP (John Breeden) (10/27/90)
In article <40913@cc.usu.edu> JRD@cc.usu.edu (Joe Doupnik) writes: > > Has anyone commented on the ability of an ordinary DOS client to >execute the StarGROUP DOS Server command SRV and stop the entire server? > I pulled the plug on mapping the attutil logical name across the >network where this ability is sitting right in the open as SRV.EXE. The >trick is to edit the file RULES.LST and remove the last line invoking >server file NETSTART.BAT. But this was not quite enough because a user >can use Kermit to log into the Unix server and do exactly the same bad >things via FACE. > Overall this seems to be a cavernous security hole. > Joe D. Yes, I'd say that leaving out passwords on a Unix system is a bit of a security hole (-: You have an old release of StarGroup. It no longer even uses the same application layer that you are now using (nor support for DOS servers - another big security hole in itself). StarGROUP is up to release 3.4 - it's Lan Manager/X over either ISO, Netbeui and one more unannounced transport layer - and three different layers of security. -- John Robert Breeden, netcom!jbreeden@apple.com, apple!netcom!jbreeden, ATTMAIL:!jbreeden ------------------------------------------------------------------- "The nice thing about standards is that you have so many to choose from. If you don't like any of them, you just wait for next year's model."