RE: Virus is getting domain account listing
From: Corinna (corinna_at_turbonet.com)
Date: 05/11/04
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Re: Virus is getting domain account listing"
- Next in thread: Samuel Petreski: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Mon, 10 May 2004 15:00:53 -0700
well, actually... this HKLM\System\CurrentControlSet\Control\LSA
restrictanonymous=2, restrictanonymoussam=1
the setting works only on our winxp, win2000, win2003 member machines...
on our Win2003 AD domain controllers... one can still use null session to
get our entire list of domain accounts.
if anyone knows of any fix... please let me know.
thanks!
- corinna
-----Original Message-----
From: David Carlin [mailto:djc6@cwru.edu]
Sent: Monday, May 10, 2004 10:30 AM
To: focus-ms@securityfocus.com
Subject: Re: Virus is getting domain account listing
On May 10, 2004, at 11:42 AM, Levinson, Karl wrote:
> RestrictAnonymous=1 does not disable netbios null sessions or prevent
> enumeration of data. It just tries to reduce the amount of data
> detail that
> can be enumerated. Read the articles at www.securityfriday.com and
> download
> the free Getacct tool from that site to see what information is still
> available from your system anonymously.
This was very helpful. Getacct does indeed show all my users, and
conveniently marks which ones have Administrative privledges.
> As you may know, for XP, there is a second registry value,
> RestrictAnonymousSam. Search www.google.com for
> "RestrictAnonymousSam" for
> information on how it works. In Windows 2000, as you may know there
> is also
> a value RestrictAnonymous=2 which does not exist in either NT, XP or
> 2003
> [but which is similar to RestrictAnonymous=1 plus
> RestrictAnonymousSAM=1 in
> XP and 2003]. This gets you closer to protecting your user lists.
> But you
> can't consider using these higher values until you get rid of NT, 9x
> and ME
> from your network, as well as some other legacy software
> considerations.
> The Windows 2000 Group Policy guide at www.nsa.gov/snac/ has some good
> information and links on the things that can break.
So basically, long term, wait for Active Directory - still waiting for
campus network folks to implement this at the university level. We're
not allowed to start our own AD on a per-department basis.
There is not much I can do in the mean time to block whatever method
getacct uses to gain access to the user list?
-David
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Levinson, Karl: "RE: Virus is getting domain account listing"
- In reply to: David Carlin: "Re: Virus is getting domain account listing"
- Next in thread: Samuel Petreski: "RE: Virus is getting domain account listing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
