Re: Trace of 139 attack?

From: Thor@HammerofGod.com
Date: 07/26/01 

From: Thor@HammerofGod.com
To: WindexKing@mor-lan-d.com, FOCUS-MS@securityfocus.com
Message-ID: <012501c11602$a9189230$af05a8c0@anchorsign.com>
Subject: Re: Trace of 139 attack?
Date: Thu, 26 Jul 2001 11:41:56 -0700

Excellent point: I'm glad you made it. I should have been more specific
when I was being more specific!

While we may hope that the thread title would keep the context of logons to
IPC resources over the LAN, it is valuable to point out that other services
can handle logon requests differently. Another good example of type 2
logons is Basic Auth over HTTP. These are also local logons, though one
might mistakenly consider them "network" logons. The same for terminal
server, etc.

Thanks for clearing that up.

AD

----- Original Message -----
From: "Windex King" <WindexKing@mor-lan-d.com>
To: <FOCUS-MS@securityfocus.com>
Cc: <Thor@HammerofGod.com>; <owentoby@WellsFargo.COM>
Sent: Thursday, July 26, 2001 11:16 AM
Subject: Re: Trace of 139 attack?

>
>
> Thor@HammerofGod.com wrote:
> >
> > Just to be clear for all of the faithful readers
> > out there, passprop.exe can be used to lockout the
> > administrator account over network connections, but
> > not for interactive logons.
> >
> > AD
>
> As owentoby@WellsFargo.COM pointed out in a later post
> AD's comment is "half true".
>
> One must remember that we're talking about NT's interpretation
> of a network logon as opposed to any logon via the network.
>
> Let me explain. If I map a drive to a server it's a Type
> 3 logon to the remote machine which NT considers a network
> logon.
>
> If I logon to a remote NT box via an OpenSSH daemon it's
> a Type 2 Advapi logon which is seen as a a *LOCAL* logon by
> NT and subsequently by passprop.
>
> Here are some other logons that are deemed local even though
> they happen via the network (this is not an exhaustive list!)
>
> - logons via Terminal Server (per owentoby's earlier comment)
> - logons via WinVNC
> - logons via PC Anywhere
> - logons via FTP daemons
> - etc.
>
> So, when using passprop one must remember to put extra controls
> on the access paths which allow "local" logon ability since
> failure to do makes passprop much less effective.
>
> W K

Relevant Pages

  • Re: XP Machines in AD dont behave
    ... If your network config is ok, you should note a few ... Disable asynchronous logons accourding Norbert's link in his post. ... problem as described above or any other reason), the connection could be ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: XP Machines in AD dont behave
    ... If your network config is ok, you should note a few ... Disable asynchronous logons accourding Norbert's link in his post. ... problem as described above or any other reason), the connection could be ...
    (microsoft.public.de.german.windowsxp.gruppen.richtlinien)
  • RE: Re : Block simulteneuos logons
    ... Subject: Re: Block simulteneuos logons ... Hi, have you tried this tool, it is my favorite one in users logons management: Userlock at http://www.isdecisions.com/en/ ... allow only single logon for all users on the network. ...
    (Security-Basics)
  • Interactive Logon permissions
    ... tells me that interactive logons are not permitted. ... I cannot log in using the Administrator account or in safe ... the machine over a network either! ... PS - Thanks Roger for your help the first time round. ...
    (microsoft.public.windowsxp.security_admin)