and no man page for psec in SAMBA_2_2

Richard Sharpe rsharpe at ns.aus.com
Fri May 3 09:52:03 GMT 2002


On Fri, 3 May 2002, Jean Francois Micouleau wrote:

> 
> 
> On Fri, 3 May 2002, Richard Sharpe wrote:
> 
> > > btw, Tim, the restricted anonymous enumeration "feature" you had with W2K
> > > and winbind, the policy code in w2k is changing the SD on the LSA pipe.
> >
> > Can you explain that some more? Do you mean that Win2K implements it by
> > placing an SD on the LSA pipe?
> 
> yes. I guess I shouldn't reply before having a coffee.
> 
> There is a SD on the LSA pipe. It's used to control all the LSA functions
> exactly like on the SPOOLSS pipe. And on the SAM pipe, that's the same.
> 
> If you want to check, a nice tool is lsaacl from todd sabbin at
> razor.bindview.com. Run it against a W2K box and a NT4 box and compare the
> SD. If the restric anonymous policy stuff is checked, you will see that
> a ACL for everyone is there or not.

OK, they are now known as pipeacl etc, but I can see them. There is an SD 
on lsass, and it currently allows everyone to access it.

It seems obvious that simply removing Everyone would get rid of anon 
access. With the pipeaclui tool, one could add new entries in the DACL for 
lsass. Neat.


Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com





More information about the samba-technical mailing list