Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Matt Johnson's Technical Adventures

One server at a time.
Whaaaaaat? Edit the NTDLR??????

Now normally I don’t knock on others “helpful” tips, but this just made me sit back and say “WOW!”

While reading through the massive amount of emails I get on a daily basis, I came upon an email that came to me last week from MCPMag.com. The article was written by Chris Wolf, an MVP. Now I may be off my rocker, but I don’t think this should be in the hands of most “admins”. The article involved someone asking for a “registry hack” to disable safe mode. In response to this question, Chris responds with what amounts to editing the NTDLR with a hex editor to change a value in the file.

I may be nuts, but would I recommend editing the NTDLR on a production system? NO! Also how can this be a viable solution for “fixing” this problem? Also, editing the NTDLR with a hex editor? I would love for someone to implement this and then call PSS. They might just laugh that person off the phone.

Oh well… think I am nuts for this bugging me? Let me know….

Posted: Tuesday, March 21, 2006 9:46 PM by win2kmaster

Comments

Steve G said:

Are you nuts for letting this bug you? Only if this is seen as a general purpose fix for lots of systems. Without knowing the background to the request, it is difficult to comment. Faced with a situation that demanded I remove access to Safe Mode for one machine, I might be inclined to follow the suggestion - but only if the threat being addressed was worse than the mitigation.

Out on Microsoft's ITs Showtime site, there's a video of Jesper Johannson giving a talk about securing SQL Server. During the session, he addresses various security issues and ultimately ends up with a working version of SQL Server, but a version that PSS would never support.

In the end, its a balancing act. Is the realisation of the threat you're trying to protect against worse that the mitigation put in place? Editing NTLDR is certainly on the extreme side of mitigation, but if it addresses a problem for an isolated situation and there is an understanding that any issues with the box will involve wipe-and-reload, then go with it.
# March 23, 2006 1:39 AM
Anonymous comments are disabled