compaq.99-09-03.cmas_pfcuser
a3df7f68ad425164f1cfe1210a5e8ad9110245f5799cb860daaf11ea76aa0949
United States
[1]COMPAQ [2]STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US |
SEARCH
[INLINE] [INLINE]
[INLINE]
[INLINE]
[INLINE]
Compaq Security Advisory
Posted: September 3, 1999
[3]Skip to Follow-Up posted 9/10/99
"PFCUser" account Vulnerability in the Compaq Management Agents for Servers
for Microsoft Windows NT
Summary
In the 4.20D release of the Compaq Management Agents, Compaq
introduced the capability to manage Microsoft Windows NT environments
by integrating key technology from BMC Software into the Compaq
Management Agents for Windows NT. As part of this capability, the
Compaq Management Agents automatically create a Windows NT account
called PFCUser.
Compaq has confirmed that there are potential security vulnerabilities
with the account/password. While there are no reports of customers
being adversely affected by this vulnerability, Compaq is proactively
releasing this bulletin to enable customers to take appropriate action
to protect their systems.
Scope
Versions Affected Service Name in Windows NT
Compaq Insight Management Agent for Windows NT v4.20D Patrol For
Insight Manager
Compaq Insight Management Agent for Windows NT v4.22 Patrol For
Insight Manager
Compaq Insight Management Agent for Windows NT v4.23 Compaq NT OS
Management
Compaq Management Agents for Servers for Windows NT v4.30 Compaq NT
Management
Compaq Management Agents for Servers for Windows NT v4.40 Compaq NT
Management
Note: The Compaq Management Agents for Clients (Desktops,
Workstations, and Portables) are not affected. The Compaq Management
Agents for Servers for other operating systems are not affected.
Identification
To determine if your servers have these capabilities installed,
1. Login as Administrator
2. From the Start menu, select Programs, then Administrative Tools,
then User Manager
3. Check for existence of PFCUser account
Recommended action
Compaq recommends that customers change the password for the PFCUser
account using the PFIMuser utility that is provided at the time of
installation. PFIMUSER.EXE is a command line utility that associates
the user account with the OS Management component, and allows the
password to be changed. (Do NOT use the Windows NT User Manager to
change this account password)
1. Login as Administrator
2. Start a DOS Command Prompt Window
3. Change directory to %PFC_HOME% (CD /Winnt/System32/pfc)
4. Run the pfimuser program to change the password (Type pfimuser)
5. Type Username when prompted (PFCUser)
6. Type new password when prompted
7. Verify new password when prompted
Note: PFIMuser utility does not support prefixing the name with a
domain name
Administrators also have the option to uninstall the OS Management
components that will remove the PFCUser account, by following
instructions detailed later in this document. This disables only the
Windows NT OS management functionality, and does not affect the
hardware management functionality provided by the Compaq Management
Agents.
What Compaq and BMC Software are doing
Compaq and BMC Software are actively working to resolve the potential
vulnerability in the next release of the Compaq Management Agents for
Windows NT. Details of the changes will be published shortly.
UNINSTALLING THE COMPAQ WINDOWS NT MANAGEMENT CAPABILITY - IN VERSIONS
4.23, 4.30 AND 4.40
There are two acceptable procedures for uninstalling Windows NT
Management in Compaq Insight Manager. You can either:
1. From the Start menu, select Compaq Products and Services.
2. Click Uninstall Compaq NT Management.
3. Follow the instructions on the screen to complete the Uninstall.
Or
1. From the Start menu, select Settings -> Control Panel.
2. From the Control Panel, select and run the Add/Remove Programs
applet.
3. Select Compaq NT Management for Compaq Insight Manager from the
installed software list.
4. Click Add/Remove. The Confirm File Deletion dialog box displays.
5. Click Yes.
6. Click OK to complete the Uninstall.
UNINSTALLING THE WINDOWS NT MANAGEMENT TECHNOLOGY FROM BMC - IN
VERSIONS 4.20D AND 4.22
There are two acceptable procedures for uninstalling PATROL for Compaq
Insight Manager. You can either:
1. Login as Administrator
2. From the Start menu, select Compaq Products and Services.
3. Click Uninstall Patrol for Compaq.
4. Follow the instructions on the screen to complete the Uninstall.
OR
1. Login as Administrator
2. From the Start menu, select Settings, then Control Panel.
3. From the Control Panel, select and run the Add/Remove Programs
applet.
4. Select PATROL for Compaq Insight Manager from the installed
software list.
5. Click Add/Remove. The Confirm File Deletion dialog box displays.
6. Click Yes.
7. Click Ok to complete the Uninstall.
After you have completed one of these procedures, you must also:
1. Remove files and directories not deleted by the uninstall program.
Delete the C:\Winnt\System32\Patrol and C:\Winnt\System32\Pfc
directories, as well as all subdirectories and files in those
subdirectories.
2. Remove directories from PATH environment variable:
Open the Control Panel and run the System applet. Select the
Environment tab in the System Properties dialog box. Select the
PATH variable in the list of System Variables. Delete the
following directory paths in the Value edit box:
+ C:\Winnt\System32\Patrol\bin
+ C:\Winnt\System32\Patrol\utils
+ C:\Winnt\System32\Patrol\KM\bin
Click on the Set button to save the changes, then click on the OK
button to close the System Properties dialog box.
3. Delete the BMC Patrol for Compaq user account:
Windows NT does not clean up all the user information when a user
is deleted from the system. It is important to delete the Access
Rights along with the user when removing. If you do not remove the
Access Rights, a user with the same name as before cannot be added
without difficulties. When a user is deleted from the system,
Windows NT will place an "Account Deleted" entry into the Access
Right area where the account existed. Please follow the
instructions below to properly remove an account. If you have
already removed the account, do not worry. You will just need to
remove the "Account Deleted" entry from the seven (7) User Rights.
Delete Procedure:
Open the Windows NT User Manager Application. Access the User Rights
panel from the menu bar (Policies -> User Rights). Check Show Advanced
User Rights in the lower left hand corner. Delete the PFCUser from the
following seven (7) User Rights:
1. Act as part of the operating system
2. Debug programs
3. Increase Quotas
4. Log on as a service
5. Log on locally
6. Profile system performance
7. Replace a process level token
8. Delete the PFCUser Account.
Follow-Up Communication (9/10/99)
This communication is a follow-up to the bulletin titled "PFCUser
account Vulnerability in the Compaq Management Agents for Servers for
Windows NT". It addresses some concerns raised by Compaq customers
regarding the creation and use of the PFCUser account, during an
install of the Compaq Management Agents for Servers for Windows NT.
Compaq continues to take a serious approach to quality and security in
all of its software products, and strives to address issues, provide
solutions and communicate them in a timely and responsible manner.
The issues that have been raised regarding the PFCUser account are:
1. Potential vulnerability of the PFCUser account because of the
automatic creation of the password
2. User is not notified that the PFCUser account is being created
3. Level of rights assigned to the account
4. Uncertainty of uninstall removing the user account
To alleviate concerns regarding the potential vulnerability of the
account, Compaq recommended to customers to change the password.
Instructions on how to do this are provided in the bulletin titled
'PFCUser account Vulnerability in the Compaq Management Agents for
Servers for Windows NT'. This and the other issues are being further
addressed by making changes to the software to prompt the user to
create the account and the password and not generate it automatically.
These changes will in the 4.40B release of the Compaq Foundation
Agents for Windows NT, which will be available for download as a
SoftPaq (SP10629) by the end of September
Why is a user account needed?
Many Windows NT applications require a user account to interact
between the program and the operating system. The Windows NT
Management component of the Compaq Management Agents requires a user
account to interact with the operating system to gather detailed OS
level information. Requiring a user account is consistent with access
required by other Windows NT applications in the market today.
Changes being implemented in 4.40B
1) The automatic creation of the user account and automatic generation
of the password will be discontinued.
2) During an assisted install of the Compaq Management Agents, a
dialog box will notify the user that an account is required for the
Windows NT Management components. The user will be presented the
option to create a new account, use an existing account or cancel the
install of the Windows NT Management components.
During a command line installation, the installer will allow command
line options to pass a Username and Password so that the agents can be
installed in silent mode.
3) The privileges associated with the user account have been changed,
and the only user right retained is to allow the account to logon
locally. During an upgrade of the Windows NT Management components,
the installer will remove the existing PFCUser account if it exists,
and prompt the user for a new account and password with minimum
privileges.
4) There were some issues with removal of the PFCUser account during
uninstall of versions 4.20D and 4.22 of the Compaq Management Agents.
The issues were fixed in version 4.23.
We sincerely hope that these clarifications alleviate some of the
concerns surrounding this product. Compaq and BMC Software will
continue to review and enhance the security features of our products
and work with customers to maintain and improve the security and
integrity of their systems. For more information and help on Compaq
Insight Manager and the Compaq Management Agents, customers can call
Server and Networking support at 1-800-3862172 and chose option 4 from
the menu.
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT
THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND
RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY
PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE.
THE ENTIRE RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT.
IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR
ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER
DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF
BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
1.800.345.1518 [INLINE]
[4]privacy and legal statement
References
1. http://www.compaq.com/
2. LYNXIMGMAP:http://www.compaq.com/products/servers/management/advisory.html#nav
3. http://www.compaq.com/products/servers/management/advisory.html#followup
4. http://www.compaq.com/copyright.html
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed