RE: Virus is getting domain account listing
From: Levinson, Karl (Karl.Levinson_at_dhs.gov)
Date: 05/11/04
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'David Carlin' <djc6@cwru.edu>, focus-ms@securityfocus.com Date: Mon, 10 May 2004 19:00:46 -0400
It is true, there is simply no way to turn off NetBIOS null sessions in a
Windows NT domain, and never will be.
You can in some cases use firewall and router ACLs to limit which source IP
addresses can reach the NetBIOS ports on your servers; but in a large
environment such as a college campus, this can be difficult and not entirely
effective.
I suppose you could try using an inline IDS [such as Snort] or IPS to block
Netbios wildcard requests... However, these occur in normal Netbios use, and
blocking these requests could break things. This would also probably not
prevent a determined hacker from enumerating your SIDs one at a time. You
could also use an IDS to show you what it looks like when someone runs
Winfingerprint.sf.net or getacct or any variety of common null session
tools, and see if it is possible to detect if not block some of these
without breaking anything else. Really, since IDS has a hard time telling
null session enumeration from normal activity [and since we're not even sure
yet whether enumeration is being done here], you may just want to rely on
the account lockout feature you've already got, along with using IDS to
detect rather than prevent such attacks.
If a virus or attacker simply attempts to log in as SID 500 / 501, and you
have not disabled the default local administrator account and created your
own, this account can probably still be locked out without bothering with
enumeration, even if you eventually disable Netbios null sessions.
-----Original Message-----
From: David Carlin [mailto:djc6@cwru.edu]
Sent: Monday, May 10, 2004 1:30 PM
To: focus-ms@securityfocus.com
Subject: Re: Virus is getting domain account listing
So basically, long term, wait for Active Directory - still waiting for
campus network folks to implement this at the university level. We're
not allowed to start our own AD on a per-department basis.
There is not much I can do in the mean time to block whatever method
getacct uses to gain access to the user list?
-David
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- Maybe in reply to: David Carlin: "Virus is getting domain account listing"
- Next in thread: JGrimshaw_at_ASAP.com: "Re: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
