Re: Virus is getting domain account listing

From: David Carlin (djc6_at_cwru.edu)
Date: 05/10/04

Next message: Ronda Allen: "Re: Virus is getting domain account listing"

Previous message: David Carlin: "Re: Virus is getting domain account listing"
In reply to: Levinson, Karl: "RE: Virus is getting domain account listing"
Next in thread: Corinna: "RE: Virus is getting domain account listing"
Reply: Corinna: "RE: Virus is getting domain account listing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 May 2004 13:29:52 -0400
To: focus-ms@securityfocus.com

On May 10, 2004, at 11:42 AM, Levinson, Karl wrote:

> RestrictAnonymous=1 does not disable netbios null sessions or prevent
> enumeration of data. It just tries to reduce the amount of data
> detail that
> can be enumerated. Read the articles at www.securityfriday.com and
> download
> the free Getacct tool from that site to see what information is still
> available from your system anonymously.

This was very helpful. Getacct does indeed show all my users, and
conveniently marks which ones have Administrative privledges.

> As you may know, for XP, there is a second registry value,
> RestrictAnonymousSam. Search www.google.com for
> "RestrictAnonymousSam" for
> information on how it works. In Windows 2000, as you may know there
> is also
> a value RestrictAnonymous=2 which does not exist in either NT, XP or
> 2003
> [but which is similar to RestrictAnonymous=1 plus
> RestrictAnonymousSAM=1 in
> XP and 2003]. This gets you closer to protecting your user lists.
> But you
> can't consider using these higher values until you get rid of NT, 9x
> and ME
> from your network, as well as some other legacy software
> considerations.
> The Windows 2000 Group Policy guide at www.nsa.gov/snac/ has some good
> information and links on the things that can break.

So basically, long term, wait for Active Directory - still waiting for
campus network folks to implement this at the university level. We're
not allowed to start our own AD on a per-department basis.

There is not much I can do in the mean time to block whatever method
getacct uses to gain access to the user list?

-David

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Ronda Allen: "Re: Virus is getting domain account listing"

Previous message: David Carlin: "Re: Virus is getting domain account listing"
In reply to: Levinson, Karl: "RE: Virus is getting domain account listing"
Next in thread: Corinna: "RE: Virus is getting domain account listing"
Reply: Corinna: "RE: Virus is getting domain account listing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]