Re: Basic firewall filtering question

From: Gethin Jones (gethinj_at_gethin.net)
Date: 07/26/04

  • Next message: Ant: "Fwd: antivirus for linux"
    To: "Ferino Mardo" <RMardo@ALJOMAIHBEV.com>, <security-basics@securityfocus.com>
    Date: Mon, 26 Jul 2004 19:53:44 +0100
    
    

    Dear All,

    The best way to secure these 'holes' in NETBIOS security is to put security
    policies in place that do not allow 'NULL' account access to NETBIOS shares
    such as C$, ADMIN$ and IPC$. If you start blocking access to these shares
    completely you will run into all sorts of problems.

    Have a look :-)

    Windows 2000
      1.. Open up the Domain Policy.
      2.. Select Security Settings
      3.. Select Local Policies
      4.. Select Security Options.
      5.. Choose "Additional restrictions of anonymous connections" in the
    policy pane and from the pull down menu labelled "Local policy setting",
    select "No access without explicit anonymous permissions. Click OK and
    reboot the machine.

    Windows XP & Windows 2003

      1.. Open the Domain Policy
      2.. Select Security Settings
      3.. Select Local Policies
      4.. Select Security Options. Make sure that BOTH the following options are
    enabled:

    Network Access: Do not allow anonymous enumeration of SAM accounts.

    Network Access: Do not allow anonymous enumeration of SAM accounts and
    shares.

    The Windows XP & 2003 settings do not completely fix the problem as some
    aspects of the policies have not been added by Microsoft yet. But as
    Microsoft releases patches for their servers they will incorporate the
    correct settings.

    Best Regards

    Gethin

    ----- Original Message -----
    From: "Ferino Mardo" <RMardo@ALJOMAIHBEV.com>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, July 24, 2004 1:46 PM
    Subject: Basic firewall filtering question

    If a personal firewall is installed in a PC connected to a Win2K LAN,
    netbios is allowed by allowing ports 137 to 139 in both directions. How
    does one define a rule such that:

    1. active directory authentication/browsing works

    While at the same time making the PC invisible to the rest of the LAN
    users?

    TIA.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Ant: "Fwd: antivirus for linux"

    Relevant Pages

    • RE: Mass Distribution of Security Policies
      ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
      (Security-Basics)
    • RE: Security Policy-Please help
      ... your Masters in Systems & Network Security, ... Before you begin writing policies, you deffinetly want to make sure you've ... SANS Security Policy Project at http://www.sans.org/resources/policies/. ... L0phtcrack is one of the better tools for testing password ...
      (Security-Basics)
    • Re: Least User Priviledges for Network Administrators
      ... It makes sense to have a chain of command and approval policy to keep things ... the computer use policies, software purchasing policies, security ... upper management--both within the Network Technology group, ... driving the process of tightening down security. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Least User Priviledges for Network Administrators
      ... computer use policies, software purchasing policies, security policies, etc. ... management--both within the Network Technology group, and at the top of the ... Policy. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Question for Roger Abell
      ... may have been one about how to imprint the same local policy ... Notice that "local security ... I notice that my Local Security Policy contains Account Policies, ... The security template only contains Account Policies (which ...
      (microsoft.public.windows.group_policy)