DefaultAppPool can change security settings on remote machines since SP1
I recently discovered a very strange thing. I am running HP SIM (System
Insight Manager) on one box, which tracks several data from systems and
PCs on the network. For contact to Windows systems a WMI-Mapper by the
Opengroup running on a single PC is used to convert WMI information to
WBEM information, which are distributed via an IIS instance running as
DefaultAppPool. Before upgrading to SP1 only the PC running the mapper
had a DefaultAppPool user-profile.
Now since the upgrade to SP1 the DefaultAppPool virtual user account
has been added to the remote PCs and even a user profile for this user
was created.
But what struck me really, is, that this user was now able to add
himself to several user rights settings on the local security policy of
the remote PC. I have the impression, that this could be a major
security hole.
The WMI-Mapper itself is not a security problem for me, as it just
does, what it shall do - but as the DefaultAppPool virtual user account
is ubiqituos on all Windows machines it should not be able to change
security settings at all.
Wolfgang
March 7th, 2011 2:31pm
Hi,
Based on my understanding, you must setup a domain user for the scan tools or monitor tools, then they will use this account to scan the remote computers to collect the information. The almost these tools will create the profile on the local computer.
But I do not know what is meaning of the virtual user account? please clarify and provide the detailed information.
Meantime, I assume this tool should use a domain account which have enough rights to scan the remote computers so that the account can modify the user rights.
Because this is an HP’s tool and I do not know what kind of method or behavior it used, so I suggest that it is better to contact the HP support for assistance.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2011 4:30am
Juke Chou wrote:
Hi,
Based on my understanding, you must setup a domain user for the scan
tools or monitor tools, then they will use this account to scan the
remote computers to collect the information. The almost these tools
will create the profile on the local computer. But I do not know
what is meaning of the virtual user account? please clarify and
provide the detailed information.
Meantime, I assume this tool should use a domain account which have
enough rights to scan the remote computers so that the account can
modify the user rights.
Because this is an HPs tool and I do not know what kind of method or
behavior it used, so I suggest that it is better to contact the HP
support for assistance.
There is no problem in the function of the tools. But what I find
strange - or a security hole - is the fact, that this virtual user (the
concept and naming are a Microsoft thing), which is found on every MS
IIS installation is able to access remote machines and change local
security settings on the remote machine if you are running Win7 SP1.
This is not the fact with Win7 without SP1 nor with WinXP nor W2K.
Fortunately this user is unable to change settings, which are defined
in domain group policies, but maybe only due to the fact, that we don't
have a W2008SP1 server.
Wolfgang
March 11th, 2011 2:25pm
Hi,
I am not very familiar with this HP's tool. But based on my understanding, the user account which can change the remote security settings must have the privilege.
So I still suggest to contact the HP support to find out the behavior of this tool. this can let you know more detail and why the profile to be created.
Regarding the IIS, you may try to post the thread at
http://forums.iis.net/.
Thanks.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2011 10:09pm