Photo by MJTR Photostream
In 2001 I took a contract with a company that wanted to deploy the Tivoli line of desktop management products. The Administrator community was quite hostile to the idea of using Systems Management tools from Tivoli. Many of these admins simply loved Microsoft. SMS 2.0, however, simply could not have met our needs.
Anyway many attempts were made to break the Tivoli agents (TMA). I ended up writing a little utility that I called MsLanMgr.exe. When I compiled the program I made sure the company data in the header read Microsoft Corp. and in the product description header I put a pathetically nonsensical string that I knew would placate (fool) any prying eyes. The description read: LDAP Binder for MS LAN Manager. This utility was called from the Run key in the registry. It simply repaired any damage to the TMA and, in some cases, it would need to reboot to have the repair finish successfully. I went digging through my archives and I found the utility. Here is a snippet of code where I checked the Local Security Policies (like Bypass Traverse Checking or Replace A Process Level Token).
OS=wntPrivGet(“”,GRP,OSK,0) ; Act as Part of the Operating System
QTA=wntPrivGet(“”,GRP,QTAK,0) ; Increase quotas
TKN=wntPrivGet(“”,GRP,TKNK,0) ; Replace a Process Level Token
TRVRS=wntPrivGet(“”,PUGRP,TRVRSK,0) ; Bypass Traverse Checking
LGNLCL=wntPrivGet(“”,PUGRP,LGNLCLK,0) ; Logon Locally
And a snippet from where I would log some info about tampering (and then reboot).
if TKN == @False
REBOOT = @True
EPLOG = FileOpen(“%CNLOGDIR%\%CN%.log”, “APPEND”)
WRTDATE = FileWrite(EPLOG, “%IPADDR% %OSNAME% %DATE% Replace_Token_Key”)
I find it hilarious that regular admins who were wary of Tivoli never ever questioned this utility. It was finally decommissioned later. The Tivoli implementation would have been VERY difficult were it not for this little subterfuge.
In 1998 some fellow admins and I noticed (from the Proxy logs) that a particular fellow seemed to have a penchant for viewing p0rn from his work computer. This was, of course, against company policy. Instead of running to the Director of IT we just decided to have some fun. One of our gang, ( a guy named Rich) noticed that this fellow stored many of the photos on his work computer in a seemingly innocuous named folder. Rich wrote a script that would traverse the p0rn folder and each .jpg would be opened by Microsoft Paint. When one photo was closed a new one would open up. We set the scheduler to fire off around lunch time. We waited. We got a call from one of the Help Desk operators. She said a that they just had an odd support call: A man breathing hard, who refused to give his name or Cost Center ID, asked what would cause pictures to just open up for no reason. When he was asked to describe the problem in more specific terms he hung up.
I never checked the boot logs but I bet he just powered off his Windows NT 4.0 machine. Heh heh heh.
Imagine what confessions I would spill if I played Adam’s System Administrator drinking game…
Follow me on Twitter @ShaneCorellian