|
Posted by =?iso-8859-1?q?Victor_Fdez-Pe= on May 16, 2006, 9:28 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi everybody,
We use a tool that audit our servers in order to avoid
vulnerabilities.I=B4ve a DC w2003 with the following vulnerability:
Remote Windows User List Disclosure Vulnerability. That means that a
null session connection to the IPC$ share was successful and NetBIOS
access can be obtained with any authenticated account on that host.
Therefore unauthorized users can steal the remote user list. This kind
of attack is commonly exploited by users with weak passwords, such as
the GUEST account.
Microsoft has published this article:
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;246261
The values for w2000 and w2003 are different. I=B4ve read that in w2003
in order to restrict anonymous you can only use 0 for disable and 1
for enable it. Meanwhile, in windows 2000 you have one more possible
value, 2. Anyway, I=B4ve try to set it to 1 or 2 without success. I=B4ve
also disabled the posibility of enumerate sam accounts and shares
trought the domain controller security policy.
After restarting the server I obtain again the vulnerability in that
server.
Any idea about this issue?
Your help would be much appreciated,
Regards.
Victor Fdez-Pe=F1aranda
|
|
Posted by Karl Levinson, mvp on May 16, 2006, 10:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
Both Win2003 and 2000 have the same capabilities here. With Windows 2000,
this is done with the Registry value RestrictAnonymous = 0, 1 or 2. With XP
and 2003, this value can only be 0 or 1, but there is a second registry
value called RestrictAnonymousSAM = 0 or 1 that gives you the other
functionality.
On some servers like domain controllers, some things may break, especially
for versions of Windows prior to XP and 2000, if you restrict null session
information too much.
Also note that attackers can log on remotely using the SID, even with null
sessions disabled. So blocking this null session information only helps you
so much.
There's a good site www.securityfriday.com with articles about what these
registry values do and don't do, and there's also a free tool GetAcct at
that site that helps you see what you can and can't see with various
settings selected.
Hi everybody,
We use a tool that audit our servers in order to avoid
vulnerabilities.I´ve a DC w2003 with the following vulnerability:
Remote Windows User List Disclosure Vulnerability. That means that a
null session connection to the IPC$ share was successful and NetBIOS
access can be obtained with any authenticated account on that host.
Therefore unauthorized users can steal the remote user list. This kind
of attack is commonly exploited by users with weak passwords, such as
the GUEST account.
Microsoft has published this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
The values for w2000 and w2003 are different. I´ve read that in w2003
in order to restrict anonymous you can only use 0 for disable and 1
for enable it. Meanwhile, in windows 2000 you have one more possible
value, 2. Anyway, I´ve try to set it to 1 or 2 without success. I´ve
also disabled the posibility of enumerate sam accounts and shares
trought the domain controller security policy.
After restarting the server I obtain again the vulnerability in that
server.
Any idea about this issue?
Your help would be much appreciated,
Regards.
Victor Fdez-Peņaranda
|
|
Posted by =?iso-8859-1?q?Victor_Fdez-Pe= on May 16, 2006, 10:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?
Thanks again,
Regards.
Victor Fdez-Pe=F1aranda.
|
|
Posted by =?iso-8859-1?q?Victor_Fdez-Pe= on May 16, 2006, 10:54 am
If you were Registered and logged in, you could reply and use other advanced thread options
I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?
Thanks again,
Regards.
Victor Fdez-Pe=F1aranda.
|
|
Posted by Roger Abell [MVP] on May 16, 2006, 11:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
Group Policy Management Console (GPMC from the
microsoft.com/downloads site), in order to see what is
setting the value back to 0 if this is being caused by the
application of a GPO.
Hi Karl,
I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?
Thanks again,
Regards.
Victor Fdez-Peņaranda.
|
| Similar Threads | Posted | | cannot open remote registry when login with a domain user on vista or windows server 2008 | May 4, 2008, 9:44 am |
| Microsoft IIS ASP Remote Code Execution Vulnerability | July 18, 2006, 10:04 pm |
| Vulnerability in MS Word Could Allow Remote Code Exec (Adv# 929433 | December 7, 2006, 2:11 pm |
| Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution | December 29, 2005, 12:16 am |
| Re: MS Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) | January 5, 2006, 7:10 pm |
| HELP - IE7 doesn't let me get to Windows Update; keeps saying I should add list of websites. | February 23, 2007, 11:47 am |
| Remote User "Quarantine" and access control | May 18, 2006, 11:24 am |
| Disabling local user accounts on remote servers | June 29, 2006, 9:51 am |
| Windows XP Home firewall IP Addresds exceptions list | January 29, 2008, 8:18 am |
| Windows Defender - unable to remove items from the 'allowed list' | June 4, 2008, 6:23 am |
|
XML site map