Re: workgroup
From: Vic Parat (vic.parat@nssecurity.com)
Date: 02/11/03
- Previous message: Mike Dresser: "Re: irc port open on 6668/tcp and 6667/tcp"
- In reply to: Kenzo: "workgroup"
- Next in thread: Kenzo: "Re: workgroup"
- Reply: Kenzo: "Re: workgroup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Vic Parat" <vic.parat@nssecurity.com> To: "Kenzo" <kenzo_chin@hotmail.com>, <security-basics@securityfocus.com> Date: Tue, 11 Feb 2003 09:55:45 -0800
Kenzo,
This reason you're seeing windows workgroup "pop up" is that they
broadcast their names every so often and that broadcast is cached. Going to
ad will not stop the broadcast and they will still show up. Workgroups are
base on a peer to peer model where accounts are held locally to each
machine, you really couldn't get in unless you had an account on each
machine belonging to the workgroup. Regardless of the local policy, they
will still need to broadcast their nbt name table which you can capture via
your local nbt cache: c:\nbtstat -c. At which point you can look them up
via: c:\nbtstat -A xxx.xxx.xxx.xxx (their ip address). Look for any nbt
types <03> (messenger service), it will should list their computer name and
the currently logged on account. This all assuming they have not disabled
NetBIOS on their network interface, in which all of this is mute including
the name broadcast. You can also look at your current leases on your dhcp
server.
Side note: you're given your end users a lot of credit regarding their
technical knowledge. My experience shows that users don't know a thing
about workgroups, local policies, or protocol filtering. They just plug in
and expect to be able to do their job.
Vic Parat
----- Original Message -----
From: "Kenzo" <kenzo_chin@hotmail.com>
To: <security-basics@securityfocus.com>
Sent: Tuesday, February 11, 2003 8:31 AM
Subject: workgroup
> I was wondering if there's a way to see who's in a windows workgroup.
> Yes, my work still use windows workgroup. I 've been trying to change
that
> to AD so that the guys to have to run around just to install updates.
> Getting there slowly.
> Anyways, I've notice that sometimes a workgroup will just pop up. Most of
> the time when someone brings in a laptop from home and plugs it in, it
will
> do that. But now, In windows 2000, you have an option that you can set so
> that no one can get in your computer( I believe in the local security
> policy), so anyone trying to go into the workgroup won't be able to.
> Usually if someone bring in their laptop, they let us know ahead of time
to
> make sure that it's ok, but what if someone did come in and set their
> computer to block all access to it, how can I see who it is. Like the
> computer name or IP address.
>
> Thanks.
- Next message: s7726: "RE: Compromised Server Project"
- Previous message: Mike Dresser: "Re: irc port open on 6668/tcp and 6667/tcp"
- In reply to: Kenzo: "workgroup"
- Next in thread: Kenzo: "Re: workgroup"
- Reply: Kenzo: "Re: workgroup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
