Академический Документы
Профессиональный Документы
Культура Документы
Note: Generally, this project is not being discussed under NDA with any accounts or third parties.
Should you require permission to discuss this with a particular organization outside the company,
please contact the author.
Revision: 0.1
Date: April 17, 1995
Author(s): J. Allard (JAllard)
Document: fingrsvc.doc
Microsoft Confidential
1 Overview
The finger “protocol” has been present in the Unix community for many years. Initially developed as a
remote user status tool, its simplistic architecture has permitted the development of some interesting and
useful applications. One of the primary contributors to the success of finger is that finger clients are
universally available for all TCP/IP implementations on most systems or trivial to implement. Thus, finger
has proven to be a useful tool for one-time status checks of users, systems, or even components or
processes running on a system. The lack of this type of functionality in Windows NT creates a vaccum for
the system or network administrator that might be working from a non-Windows admin console (e.g.,
Unix) to check the status of an NT system that might be having trouble. This document outlines the
features of a Windows NT-based finger server that would be a useful addition to our internetworking
applications.
Microsoft Confidential 1
2 Finger Protocol Feature Support
The finger protocol is a freeform one time request-response protocol. The finger client opens a connection
to a given TCP port, passes a request string followed by <CR><LF> and the server responds over the same
session with a freeform response that is intended to be human-readible and closes the connection.
Although the query is truly freeform, many years of use have presented some common conventions that
have been documented in RFC1288 along with a description of the protocol. In general, our goal should
be to adhere to the existing conventions whenever possible and to create new conventions for extended
functionality only when absolutely necessary.
The following sections discuss how these levels of functionality will be implemented.
3 Simple Finger
Simple finger refers to the client passing a NULL query to a specified server. For example:
Command Result
finger Specifies local system
finger @microsoft.com Queries system named microsoft.com
finger @1.2.3.4 Queries system at IP address 1.2.3.4
The above queries all specify a NULL query to the server specified following the @ symbol. The text
following the @ symbol is not part of the query. Issuing a simple finger query to an NT server should
result in a set of generally useful information about the system, and any users logged in with active
processes. For example:
Hostname: tcpip.microsoft.com
Computername: TCPIP
Currently logged in users:
Issue: Unfortunately, there’s no way to map a login session to the PIDs that the user has invoked, so we
cannot specify as much info as the standard Unix fingerd would output. This should be available in Cairo.
Issue: Need to fix finger.exe in NT to query the local system if no parameters are specified
Microsoft Confidential 2
4 User Status Queries
I’ll refer to user status queries as finger requests which query a system for information on a user. Example
queries:
Command Result
finger user Queries local system for status on user user
finger user@microsoft.com Queries system named microsoft.com for status on user
user
finger domain\user@microsoft.com Queries system named microsoft.com for status on user
user in domain domain
Note once again that the contents following the @ are used to identify the target system and are not passed
in the finger request. The server should respond with as much information as possible. For example the
command finger jallard@microsoft.com would have different results based on the scenerios outlined
below:
User has account, is currently logged in, and has specified a plan file (see below):
Hostname: tcpip.microsoft.com
Office: 26/1500
Phone Number: 936-9031
Motto: I love to write finger server specifications
A plan file is a simple ASCII file which a user may optionally create to allow people to learn more
information about them such as phone/office numbers, schedules, etc... The location and name of plan
files can be configured by the administrator and the feature can be disabled completely (see below).
Microsoft Confidential 3
5 Other Status Queries
Aside from user status queries an adminstrator may configure the server to accept other types of status
queries. These other fall into two categories:
Conceptually, the two are the same - implementation-wise, the user component of the query is replaced
with a keywork which invokes the gateway. We will have some built-in some gateways to perform
common useful functions. Some initial ideas:
Keyword Function
all Provides a listing of all currently logged in users - this would include authenticated FTP
users, etc... any user with a network logon
cpu Provides the current CPU utilization(s) of the system
net Provides the information returned from net config rdr/server, ipconfig, etc.. 1
system Provides information on the specified system
gateways Enumerates the keywords for the installed gateway(s) on the target system
The output for the built-in gateways should look along the lines of this:
finger all@tcpip:
Hostname: tcpip.microsoft.com
finger cpu@tcpip:
Hostname: tcpip.microsoft.com
finger net@tcpip:
Hostname: tcpip.microsoft.com
1
Might look into the Server Info tool which ships with SMS.
Microsoft Confidential 4
finger system@tcpip:
Hostname: tcpip.microsoft.com
finger gateways@tcpip:
Hostname: tcpip.microsoft.com
Gateways installed:
Microsoft Confidential 5
6 Gateways (Server Extensions)
Gateways permit the ability for some very simple server application development using the finger
protocol. For example, a user might write a little gateway that queried a digital thermometer through the
serial port to report the current temperature at their office, or query a Coke machine which is SNMP
managed. For example:
finger Celsius@tcpip:
Hostname: tcpip.microsoft.com
finger CokeMachine@tcpip:
Hostname: tcpip.microsoft.com
Current stock:
Mountain Dew: 12
Coke: 8
Diet Coke: 9
7Up: 26
Of course more complex gateways could be created which based their decision on some input parameter
passed in the query. Since many finger clients may not allow space characters in the query string, we will
adopt the convention of “\” to denote a parameter for a gateway. For example:
finger CokeMachine\Dew@tcpip:
Hostname: tcpip.microsoft.com
Current stock:
Mountain Dew: 12
Of course, the context of the input “Dew” in this example is specific to the gateway. As such, it is useful to
allow the gateway to document itself. Although we will permit the ability for an description to be specified
in the registry for finger gateway@hostname, we will recommend the convention of finger
<gateway>\help@hostname to refer to the context-specific help (if available) for a specific gateway. For
example:
finger CokeMachine\Help@tcpip:
Hostname: tcpip.microsoft.com
The cokemachine service on this system allows you to specify the specific beverage that
you wish to monitor. For example: finger cokemachine\7up will return the number of cans of
7up currently in stock.
Microsoft Confidential 6
Gateways are simply .exe’s stored in a configured directory which are WinExec()’d by the finger service.
When spawning the gateway, the finger service should hook the connected socket to the gateway’s
STDOUT handle and pass any gateway parameters (e.g., “7up”) as the command argument for the
application. It should be trivial for example to use the ls command as a finger service gateway:
finger ls\e:\nt\system32@tcpip:
Hostname: tcpip.microsoft.com
E:\NT\system32\*.*
Microsoft Confidential 7
7 Configuration/Administration
No configuration should be required to run the finger service with support for only simple queries.
Administrative intervention will only be required to enable the built-in gateways, plan file access, etc...
There will be two property pages to expose these options to the administrator: service and gateways. These
pages will integrate into the common Internet Manager administration tool. Defaults are shown
Microsoft Confidential 8
When extended gateways are installed, they must add a REG_SZ value under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FingerSvc\Parameters\Gateways with
the same name as their gateway (e.g. “ls”), and assign the help string to be displayed when a user fingers
gateways@<systemname>. If the Allow extended gateways option is unchecked, this query is rejected. If
enabled, it presents the list of active built-in gateways and all extended gateways in the extended gateway
directory. If an extended directory does not have a help string in the registry, the text “no description
available” should be displayed. For example:
finger gateways@tcpip:
Hostname: tcpip.microsoft.com
Gateways installed:
Microsoft Confidential 9
8 Security Considerations
The finger protocol itself does not present any inherent security risks. However, enabling it to serve only
simple queries enables someone to learn the login names of users on the system, giving an attacker
information on which accounts are available to attack, and the general hours of users on the system. As
such, the setup program should present a warning to the administrator. The other major security
implication with finger is the use of gateways. As the finger service simply spawns a process to run an
executable in the gateways directory (if enabled), a sloppy administrator might leave the directory open for
write access, permitting an attacker to place a copy of format.exe in the gateways directory. This would
permit finger format\d:@tcpip.microsoft.com to cause some real trouble. As such, enabling the gateway
option should present a sufficient warning and the finger service should be sure to only execute files from
the directory specified by the system administrator.
Microsoft Confidential 10
9 Reference - RFC 1288
Network Working Group D. Zimmerman
Request for Comments: 1288 Center for Discrete Mathematics and
Obsoletes: RFCs 1196, 1194, 742 Theoretical Computer Science
December 1991
Abstract
Table of Contents
1. Introduction ........................................... 2
1.1. Intent ............................................... 2
1.2. History .............................................. 3
1.3. Requirements ......................................... 3
1.4. Updates .............................................. 3
2. Use of the protocol .................................... 4
2.1. Flow of events ....................................... 4
2.2. Data format .......................................... 4
2.3. Query specifications ................................. 4
2.4. RUIP {Q2} behavior ................................... 5
2.5. Expected RUIP response ............................... 6
2.5.1. {C} query .......................................... 6
2.5.2. {U}{C} query ....................................... 6
2.5.3. {U} ambiguity ...................................... 7
2.5.4. /W query token ..................................... 7
Zimmerman [Page 1]
Microsoft Confidential 11
RFC 1288 Finger December 1991
1. Introduction
1.1. Intent
However, the BSD version provides few options to tailor the Finger
RUIP for a particular site's security policy, or to protect the user
from dangerous data. Furthermore, there are MANY potential security
holes that implementors and administrators need to be aware of,
particularly since the purpose of this protocol is to return
information about a system's users, a sensitive issue at best.
Therefore, this memo makes a number of important security comments
and recommendations.
Zimmerman [Page 2]
Microsoft Confidential 12
RFC 1288 Finger December 1991
1.2. History
1.3. Requirements
In this document, the words that are used to define the significance
of each particular requirement are capitalized. These words are:
* "MUST"
* "SHOULD"
* "MAY"
1.4. Updates
The differences of note between RFC 1196 and this memo are:
Zimmerman [Page 3]
Microsoft Confidential 13
RFC 1288 Finger December 1991
o the BNF in the Finger query specification was not clear on the
treatment of blank space. This memo is more exacting by
including an explicit token for it.
{W} ::= /W
Zimmerman [Page 4]
Microsoft Confidential 14
RFC 1288 Finger December 1991
Be aware that {Q1} and {Q2} do not refer to a user typing "finger
user@host" from an operating system prompt. It refers to the line
that an RUIP actually receives. So, if a user types "finger
user@host<CRLF>", the RUIP on the remote host receives "user<CRLF>",
which corresponds to {Q1}.
Given that:
And so:
The <H2> RUIP then must itself open a Finger connection <F2-3>
to <H3>, using <Q2-3>.
The <H2> RUIP must return any information received from <F2-3>
to <H1> via <F1-2>.
Zimmerman [Page 5]
Microsoft Confidential 15
RFC 1288 Finger December 1991
For the most part, the output of an RUIP doesn't follow a strict
specification, since it is designed to be read by people instead of
programs. It should mainly strive to be informative.
- terminal location
- office location
- office phone number
- job name
- idle time (number of minutes since last typed input, or
since last job activity).
An answer MUST include at least the full name of the user. If the
user is logged in, at least the same amount of information returned
by {C} for that user MUST also be returned by {U}{C}.
- office location
- office phone number
- home phone number
- status of login (not logged in, logout time, etc)
- user information file
Zimmerman [Page 6]
Microsoft Confidential 16
RFC 1288 Finger December 1991
file in the user's home directory or some common area; the exact
method is left to the implementor. The system administrator SHOULD
be allowed to specifically turn this feature on and off. See section
3.2.4 for caveats.
3. Security
Zimmerman [Page 7]
Microsoft Confidential 17
RFC 1288 Finger December 1991
Overall, there are few cases which would warrant processing of {Q2}
at all, and they are far outweighed by the number of cases for
refusing to process {Q2}. In particular, be aware that if a machine
is part of security perimeter (that is, it is a gateway from the
outside world to some set of interior machines), then turning {Q2} on
provides a path through that security perimeter. Therefore, it is
RECOMMENDED that the default of the {Q2} processing option be to
refuse processing. It certainly should not be enabled in gateway
machines without careful consideration of the security implications.
Zimmerman [Page 8]
Microsoft Confidential 18
RFC 1288 Finger December 1991
Zimmerman [Page 9]
Microsoft Confidential 19
RFC 1288 Finger December 1991
For environments that live and breathe international data, the system
administrator SHOULD be given a mechanism to enable the latter option
by default for all users on a particular system. This can be done
via a global environment variable or similar mechanism.
4. Examples
Site: elbereth.rutgers.edu
Command line: <CRLF>
Site: dimacs.rutgers.edu
Command line: pirmann<CRLF>
Login name: pirmann In real life: David Pirmann
Office: 016 Hill, x2443 Home phone: 989-8482
Directory: /dimacs/u1/pirmann Shell: /bin/tcsh
Last login Sat Jun 23 10:47 on ttyp0 from romulus.rutgers.
No unread mail
Project:
Plan:
Work Schedule, Summer 1990
Rutgers LCSR Operations, 908-932-2443
Microsoft Confidential 20
RFC 1288 Finger December 1991
Site: elbereth.rutgers.edu
Command line: ron<CRLF>
Login name: spinner In real life: Ron Spinner
Office: Ops Cubby, x2443 Home phone: 463-7358
Directory: /u1/spinner Shell: /bin/tcsh
Last login Mon May 7 16:38 on ttyq7
Plan:
ught i
ca n
m a
' ... t
I . . i
! m
! ! e
p !pool
l
e
H
Site: dimacs.rutgers.edu
Command line: hedrick@math.rutgers.edu@pilot.njin.net<CRLF>
[pilot.njin.net]
[math.rutgers.edu]
Login name: hedrick In real life: Charles Hedrick
Office: 484 Hill, x3088
Microsoft Confidential 21
RFC 1288 Finger December 1991
5. Acknowledgments
6. Security Considerations
7. Author's Address
Phone: (908)932-4592
EMail: dpz@dimacs.rutgers.edu
Microsoft Confidential 22
10 Revision history
Version Author Notes
0.1 Jallard Initial draft
Microsoft Confidential 23