Re: preventing username enumeration on NT4

From: chris@nospam.com
Date: 06/03/02 

From: chris@nospam.com
Date: Sun, 02 Jun 2002 22:24:43 -0700

On Mon, 03 Jun 2002 03:49:20 GMT, Nameless User
<notvalid@notvalid.com> wrote:

>Hello again,
>
>If you recall, I am the only IT guy for a small network that was
>compromised. So far, it appears as though the attacker did nothing more
>that find the single weak password on an account with few privileges, but
>I doubt I can ever be certain.
>
>I read through your responses and I have done some research. I've forced
>password changes on everybody and implemented a stronger password policy.
>I will likely end up doing a complete rebuild, but I also want to learn
>about security and hacking (it's a fascinating field).
>
>I am fairly certain that the attacker established a null session and then
>obtained the usernames (don't know what program was used though). As a
>matter of fact, I am going to try this tomorrow on my own servers as it
>seems very simple.

There are a multitude of programs, including Perl scripts.

>I want to prevent future attackers from doing this. One method is to set
>a registry value to 1 (something like restrictanonymous). But this method
>is only partially effective and may deter some attacks, but the threat is
>still present (ie. I can't prevent the use of sid2user & user2sid this
>way).
>
>The big problem lies in the exposure of port 139 to the Internet.
>
>Am I correct in assuming that it's very difficult (impossible?) to prevent
>null session establishments in NT 4 while simultaneously utilizing the
>following features:
>- shared drives (accessed locally and sometimes remotely)
>- WINS
>
>I can unbind netbios from the NIC, but I think that causes problems with
>those features, right?

Sounds like the server only has one nic and you have a router sitting
on the network for internet access? In this case, all of your clients
are exposed too, and you need a more global solution than looking at
just one server!

>Our organization's resources are slim, so buying/using additional
>computers so each computer serves a single purpose is not likely. Also
>forget about hiring a security consultant.
>
>What about packet filtering at the router? What options do I have there?
>And an application firewall? I am not entirely sure which ports I must
>leave open to the world for the following functions:
>- PDC / web server (IIS 4) / shared drives
>- BDC / web server (IIS 4, OWA) / Exchange Server

By all means filter ports at the router - starting with the Netbios
ports. Start by looking at what services you want to allow in and to
where, for example ports
        80 for http to your web server
        8080 for https,
        25 for SMTP to your email system
        110 if you allow people to use POP3 to check email
        et cetera.
>From this create the access-control lists to control inbound
connections. If it's a Cisco router, search www.cisco.com for help on
creating ACLs. You can also buy firewall appliances to put in front of
or behind the router.

By 'shared folders' are you talking about web folders? I don't have
much experience with that, but I understand it is full of security
problems. FTP would be more secure.

>Is it possible to grab an old computer and write an application that
>intercepts "bad" packets coming towards my PDC & BDC, and then send back
>the appropriate response to make the targets seem like they're not there?

You could setup an old machine running Linux and IPchains. Basically
a poor mans firewall. Works pretty well, too. This would need to go
between the internet and you network, ie immediately in front of or
behind the router.

>Any resources on undertaking such a task (I only have basic socket
>programming experience)?

Don't try to write it yourself. You'll spend more in your labor than
buying something that has already been tested and validated.

Relevant Pages

  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... Assuming that you have firewall protection via your internet router try ... workgroup because it will be needed for the network to work correctly. ... see if you can access TCP ports 139 and 445 on computer one of which at ... permissions. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: preventing username enumeration on NT4
    ... I am the only IT guy for a small network that was ... it appears as though the attacker did nothing more ... Sounds like the server only has one nic and you have a router sitting ... By all means filter ports at the router - starting with the Netbios ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: preventing username enumeration on NT4
    ... I am the only IT guy for a small network that was ... it appears as though the attacker did nothing more ... Sounds like the server only has one nic and you have a router sitting ... By all means filter ports at the router - starting with the Netbios ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: preventing username enumeration on NT4
    ... I am the only IT guy for a small network that was ... it appears as though the attacker did nothing more ... Sounds like the server only has one nic and you have a router sitting ... By all means filter ports at the router - starting with the Netbios ...
    (comp.security.misc)
  • Re: Using Remote Desktop From an SBS Domain
    ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
Loading