RE: Basic firewall filtering question
From: Ferino Mardo (RMardo_at_ALJOMAIHBEV.com)
Date: 07/27/04
- Previous message: Ansgar -59cobalt- Wiechers: "Re: upgrading to IE6 on w2k servers"
- Maybe in reply to: Ferino Mardo: "Basic firewall filtering question"
- Next in thread: Ferino Mardo: "RE: Basic firewall filtering question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jul 2004 20:47:45 +0300 To: <security-basics@securityfocus.com>
But wouldn't that break some required connections from the AD/DC? Don't
they connect thru null sessions?
> -----Original Message-----
> From: Gethin Jones [mailto:gethinj@gethin.net]
> Sent: Monday, July 26, 2004 9:54 PM
> To: Ferino Mardo; security-basics@securityfocus.com
> Subject: Re: Basic firewall filtering question
>
>
> Dear All,
>
> The best way to secure these 'holes' in NETBIOS security is
> to put security policies in place that do not allow 'NULL'
> account access to NETBIOS shares such as C$, ADMIN$ and IPC$.
> If you start blocking access to these shares completely you
> will run into all sorts of problems.
>
> Have a look :-)
>
> Windows 2000
> 1.. Open up the Domain Policy.
> 2.. Select Security Settings
> 3.. Select Local Policies
> 4.. Select Security Options.
> 5.. Choose "Additional restrictions of anonymous
> connections" in the policy pane and from the pull down menu
> labelled "Local policy setting", select "No access without
> explicit anonymous permissions. Click OK and reboot the machine.
>
>
>
>
>
>
> Windows XP & Windows 2003
>
> 1.. Open the Domain Policy
> 2.. Select Security Settings
> 3.. Select Local Policies
> 4.. Select Security Options. Make sure that BOTH the
> following options are
> enabled:
>
>
> Network Access: Do not allow anonymous enumeration of SAM accounts.
>
> Network Access: Do not allow anonymous enumeration of SAM
> accounts and shares.
>
>
>
> The Windows XP & 2003 settings do not completely fix the
> problem as some aspects of the policies have not been added
> by Microsoft yet. But as Microsoft releases patches for their
> servers they will incorporate the correct settings.
>
>
>
> Best Regards
>
>
>
> Gethin
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Ansgar -59cobalt- Wiechers: "Re: upgrading to IE6 on w2k servers"
- Maybe in reply to: Ferino Mardo: "Basic firewall filtering question"
- Next in thread: Ferino Mardo: "RE: Basic firewall filtering question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
