United States [1]COMPAQ [2]STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH [INLINE] [INLINE] [INLINE] [INLINE] [INLINE] Compaq Security Advisory Posted: September 3, 1999 [3]Skip to Follow-Up posted 9/10/99 "PFCUser" account Vulnerability in the Compaq Management Agents for Servers for Microsoft Windows NT Summary In the 4.20D release of the Compaq Management Agents, Compaq introduced the capability to manage Microsoft Windows NT environments by integrating key technology from BMC Software into the Compaq Management Agents for Windows NT. As part of this capability, the Compaq Management Agents automatically create a Windows NT account called PFCUser. Compaq has confirmed that there are potential security vulnerabilities with the account/password. While there are no reports of customers being adversely affected by this vulnerability, Compaq is proactively releasing this bulletin to enable customers to take appropriate action to protect their systems. Scope Versions Affected Service Name in Windows NT Compaq Insight Management Agent for Windows NT v4.20D Patrol For Insight Manager Compaq Insight Management Agent for Windows NT v4.22 Patrol For Insight Manager Compaq Insight Management Agent for Windows NT v4.23 Compaq NT OS Management Compaq Management Agents for Servers for Windows NT v4.30 Compaq NT Management Compaq Management Agents for Servers for Windows NT v4.40 Compaq NT Management Note: The Compaq Management Agents for Clients (Desktops, Workstations, and Portables) are not affected. The Compaq Management Agents for Servers for other operating systems are not affected. Identification To determine if your servers have these capabilities installed, 1. Login as Administrator 2. From the Start menu, select Programs, then Administrative Tools, then User Manager 3. Check for existence of PFCUser account Recommended action Compaq recommends that customers change the password for the PFCUser account using the PFIMuser utility that is provided at the time of installation. PFIMUSER.EXE is a command line utility that associates the user account with the OS Management component, and allows the password to be changed. (Do NOT use the Windows NT User Manager to change this account password) 1. Login as Administrator 2. Start a DOS Command Prompt Window 3. Change directory to %PFC_HOME% (CD /Winnt/System32/pfc) 4. Run the pfimuser program to change the password (Type pfimuser) 5. Type Username when prompted (PFCUser) 6. Type new password when prompted 7. Verify new password when prompted Note: PFIMuser utility does not support prefixing the name with a domain name Administrators also have the option to uninstall the OS Management components that will remove the PFCUser account, by following instructions detailed later in this document. This disables only the Windows NT OS management functionality, and does not affect the hardware management functionality provided by the Compaq Management Agents. What Compaq and BMC Software are doing Compaq and BMC Software are actively working to resolve the potential vulnerability in the next release of the Compaq Management Agents for Windows NT. Details of the changes will be published shortly. UNINSTALLING THE COMPAQ WINDOWS NT MANAGEMENT CAPABILITY - IN VERSIONS 4.23, 4.30 AND 4.40 There are two acceptable procedures for uninstalling Windows NT Management in Compaq Insight Manager. You can either: 1. From the Start menu, select Compaq Products and Services. 2. Click Uninstall Compaq NT Management. 3. Follow the instructions on the screen to complete the Uninstall. Or 1. From the Start menu, select Settings -> Control Panel. 2. From the Control Panel, select and run the Add/Remove Programs applet. 3. Select Compaq NT Management for Compaq Insight Manager from the installed software list. 4. Click Add/Remove. The Confirm File Deletion dialog box displays. 5. Click Yes. 6. Click OK to complete the Uninstall. UNINSTALLING THE WINDOWS NT MANAGEMENT TECHNOLOGY FROM BMC - IN VERSIONS 4.20D AND 4.22 There are two acceptable procedures for uninstalling PATROL for Compaq Insight Manager. You can either: 1. Login as Administrator 2. From the Start menu, select Compaq Products and Services. 3. Click Uninstall Patrol for Compaq. 4. Follow the instructions on the screen to complete the Uninstall. OR 1. Login as Administrator 2. From the Start menu, select Settings, then Control Panel. 3. From the Control Panel, select and run the Add/Remove Programs applet. 4. Select PATROL for Compaq Insight Manager from the installed software list. 5. Click Add/Remove. The Confirm File Deletion dialog box displays. 6. Click Yes. 7. Click Ok to complete the Uninstall. After you have completed one of these procedures, you must also: 1. Remove files and directories not deleted by the uninstall program. Delete the C:\Winnt\System32\Patrol and C:\Winnt\System32\Pfc directories, as well as all subdirectories and files in those subdirectories. 2. Remove directories from PATH environment variable: Open the Control Panel and run the System applet. Select the Environment tab in the System Properties dialog box. Select the PATH variable in the list of System Variables. Delete the following directory paths in the Value edit box: + C:\Winnt\System32\Patrol\bin + C:\Winnt\System32\Patrol\utils + C:\Winnt\System32\Patrol\KM\bin Click on the Set button to save the changes, then click on the OK button to close the System Properties dialog box. 3. Delete the BMC Patrol for Compaq user account: Windows NT does not clean up all the user information when a user is deleted from the system. It is important to delete the Access Rights along with the user when removing. If you do not remove the Access Rights, a user with the same name as before cannot be added without difficulties. When a user is deleted from the system, Windows NT will place an "Account Deleted" entry into the Access Right area where the account existed. Please follow the instructions below to properly remove an account. If you have already removed the account, do not worry. You will just need to remove the "Account Deleted" entry from the seven (7) User Rights. Delete Procedure: Open the Windows NT User Manager Application. Access the User Rights panel from the menu bar (Policies -> User Rights). Check Show Advanced User Rights in the lower left hand corner. Delete the PFCUser from the following seven (7) User Rights: 1. Act as part of the operating system 2. Debug programs 3. Increase Quotas 4. Log on as a service 5. Log on locally 6. Profile system performance 7. Replace a process level token 8. Delete the PFCUser Account. Follow-Up Communication (9/10/99) This communication is a follow-up to the bulletin titled "PFCUser account Vulnerability in the Compaq Management Agents for Servers for Windows NT". It addresses some concerns raised by Compaq customers regarding the creation and use of the PFCUser account, during an install of the Compaq Management Agents for Servers for Windows NT. Compaq continues to take a serious approach to quality and security in all of its software products, and strives to address issues, provide solutions and communicate them in a timely and responsible manner. The issues that have been raised regarding the PFCUser account are: 1. Potential vulnerability of the PFCUser account because of the automatic creation of the password 2. User is not notified that the PFCUser account is being created 3. Level of rights assigned to the account 4. Uncertainty of uninstall removing the user account To alleviate concerns regarding the potential vulnerability of the account, Compaq recommended to customers to change the password. Instructions on how to do this are provided in the bulletin titled 'PFCUser account Vulnerability in the Compaq Management Agents for Servers for Windows NT'. This and the other issues are being further addressed by making changes to the software to prompt the user to create the account and the password and not generate it automatically. These changes will in the 4.40B release of the Compaq Foundation Agents for Windows NT, which will be available for download as a SoftPaq (SP10629) by the end of September Why is a user account needed? Many Windows NT applications require a user account to interact between the program and the operating system. The Windows NT Management component of the Compaq Management Agents requires a user account to interact with the operating system to gather detailed OS level information. Requiring a user account is consistent with access required by other Windows NT applications in the market today. Changes being implemented in 4.40B 1) The automatic creation of the user account and automatic generation of the password will be discontinued. 2) During an assisted install of the Compaq Management Agents, a dialog box will notify the user that an account is required for the Windows NT Management components. The user will be presented the option to create a new account, use an existing account or cancel the install of the Windows NT Management components. During a command line installation, the installer will allow command line options to pass a Username and Password so that the agents can be installed in silent mode. 3) The privileges associated with the user account have been changed, and the only user right retained is to allow the account to logon locally. During an upgrade of the Windows NT Management components, the installer will remove the existing PFCUser account if it exists, and prompt the user for a new account and password with minimum privileges. 4) There were some issues with removal of the PFCUser account during uninstall of versions 4.20D and 4.22 of the Compaq Management Agents. The issues were fixed in version 4.23. We sincerely hope that these clarifications alleviate some of the concerns surrounding this product. Compaq and BMC Software will continue to review and enhance the security features of our products and work with customers to maintain and improve the security and integrity of their systems. For more information and help on Compaq Insight Manager and the Compaq Management Agents, customers can call Server and Networking support at 1-800-3862172 and chose option 4 from the menu. COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 1.800.345.1518 [INLINE] [4]privacy and legal statement References 1. http://www.compaq.com/ 2. LYNXIMGMAP:http://www.compaq.com/products/servers/management/advisory.html#nav 3. http://www.compaq.com/products/servers/management/advisory.html#followup 4. http://www.compaq.com/copyright.html