RE: Virus is getting domain account listing

• Previous message: Harlan Carvey: "Re: Virus is getting domain account listing"
• Maybe in reply to: David Carlin: "Virus is getting domain account listing"
• Next in thread: David Carlin: "Re: Virus is getting domain account listing"
• Reply: David Carlin: "Re: Virus is getting domain account listing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'David Carlin' <djc6@cwru.edu>, focus-ms@securityfocus.com
Date: Mon, 10 May 2004 11:42:11 -0400

RestrictAnonymous=1 does not disable netbios null sessions or prevent
enumeration of data. It just tries to reduce the amount of data detail that
can be enumerated. Read the articles at www.securityfriday.com and download
the free Getacct tool from that site to see what information is still
available from your system anonymously.

The default local administrator account always has the same SID number, so
that it can trivially be accessed even if you rename it. One countermeasure
commonly used is to disable the account and create your own. However, the
list of users in the Administrators or Domain Admins group can still
probably be enumerated as long as netbios null sessions are enabled.

As you may know, for XP, there is a second registry value,
RestrictAnonymousSam. Search www.google.com for "RestrictAnonymousSam" for
information on how it works. In Windows 2000, as you may know there is also
a value RestrictAnonymous=2 which does not exist in either NT, XP or 2003
[but which is similar to RestrictAnonymous=1 plus RestrictAnonymousSAM=1 in
XP and 2003]. This gets you closer to protecting your user lists. But you
can't consider using these higher values until you get rid of NT, 9x and ME
from your network, as well as some other legacy software considerations.
The Windows 2000 Group Policy guide at www.nsa.gov/snac/ has some good
information and links on the things that can break.

> -----Original Message-----
> From: David Carlin [mailto:djc6@cwru.edu]
> Sent: Monday, May 10, 2004 9:11 AM
> To: focus-ms@securityfocus.com
> Subject: Virus is getting domain account listing
>
>
> Hello,
>
> I work on a college campus and have been plagued for months by
> something that is going through all of the accounts in my domains and
> locking the accounts out by failed password attempts. I have
> two PDCs
> for two different domains, running NT 4.0 and clients running XP
> scattered around campus in various subnets. I have setup an
> ACL on my
> cisco switch to block traffic to the PDCs except from these subnets,
> but it doesn't help because there are machines in those subnets
> administered by other people that continue to get "infected".
>
> My question is, how do I stop whatever this is from getting
> my account
> listing in the first place? I have run Microsoft baseline
> analyzer, it
> says I'm all good.. The free Nessus scanner doesn't report any
> problems. I have all patches, RestrictAnonymous=1 is in the registry.
>
> I've renamed my admin account, this thing always picks up on it. It
> knows which accounts are domain admins and attacks them more
> aggressively. I've contacted the owners of the various machines
> attacking, they never find any strange software, virus
> scanners always
> come up empty - even when done remotely over the
> administrative shares.
>
> Any ideas how to protect my user list?

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Harlan Carvey: "Re: Virus is getting domain account listing"
• Maybe in reply to: David Carlin: "Virus is getting domain account listing"
• Next in thread: David Carlin: "Re: Virus is getting domain account listing"
• Reply: David Carlin: "Re: Virus is getting domain account listing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]