Veritas Backup Exec opens networks for NetBIOS based attacks?

From: Geoff Craig (GCraig@quilogy.com)
Date: 09/06/02


Date: Fri, 6 Sep 2002 15:19:22 -0500
From: "Geoff Craig" <GCraig@quilogy.com>
To: <bugtraq@securityfocus.com>

Veritas Backup Exec opens networks for NetBIOS based attacks?

By: Geoff Craig, Adrian Romo
Company: Quilogy http://www.quilogy.com

Currently, we are working with a customer that has moved to Active
Directory and is using Backup Exec 8.5 to backup all servers and domain
controllers from a centralized backup server. We do not feel that this
is an uncommon backup implementation. During a security audit, it was
determined that the RestrictAnonymous registry value on the customer's
domain controllers and Exchange 2000 server was set to 0 (allowing
anonymous enumeration of the SAM database and shares). This was
determined to be an unacceptable security risk, and the domain
controller security policy along with the local security policy on the
Exchange 2000 server was changed so that the RestrictAnonymous value was
1. After setting RestrictAnonymous to 1, Backup Exec started reporting
errors such as "Unable to attach to \\mydc\System?State. The device
cannot be found". A similar error was reported on the Exchange 2000
server as well. After a quick search of the Veritas knowledgebase the
following articles were found:

http://seer.support.veritas.com/docs/239059.htm
http://seer.support.veritas.com/docs/239391.htm

These articles reveal that in order for Backup Exec versions 8.5 and 8.6
to remotely backup Active Directory or Exchange 2000 databases that the
RestrictAnonymous setting MUST be set to 0. One may assume that for
some reason Backup Exec requires an anonymous session in order to backup
ESE databases, (both Exchange 2000 and Active Directory are ESE
databases) but Veritas does not explain why this is required. Here is a
quote from Veritas article 239059 when discussing setting
RestrictAnonymous equal to a value other than 0.

"This (setting RestrictAnonymous not equal to 0) could cause undesired
behavior because many Windows 2000 services, as well as third-party
programs, such as Backup Exec, rely on anonymous access capabilities to
perform legitimate tasks. Because of this, it is important to weigh the
benefits of restricting the capabilities of anonymous users from a
security perspective against the requirements of services and programs
that rely on anonymous access for complete functionality."

Veritas apparently understands that their software requires lax security
in order to function correctly. It is our opinion that this requirement
should cause Backup Exec users to reconsider their use of this product.
If this software must be used, then a less than ideal workaround may be
to backup these ESE databases to a file in a shared location using the
backup package built into Windows 2000 and then backup the file from a
centralized backup point. Nevertheless, users of Backup Exec need to
confront Veritas and ask why their product requires an insecure
configuration of the operating system in order to function.