Re: ftp Log reveals attackers have knowledge of Admin usernames

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 05/07/03 

Date: Wed, 7 May 2003 17:09:00 -0400

"Mavi Gozler" <mavigozler@yahoo.com> wrote in message
news:5446f761.0305071155.62502a5e@posting.google.com...

> I am trying to figure out how someone not logged into the host can
> acquire the username list but not gain total access and permissions to
> the filesystem.

I can't see the original post, but usually this is because you have no
firewall or your firewall is not blocking NetBIOS traffic. NetBIOS by
default offers up a complete list of user names, share names and lots of
other potentially sensitive information to anyone with no ID or password
required, via "netbios null sessions." If this is the case, you really need
a firewall, and may want to change the RestrictAnonymous registry setting or
Group Policy setting. See www.securityfriday.com, particularly the free
getacct tool, to see what hackers can and can't see on your server using
null sessions. Note that restrictanonymous=1 still lets hackers get a list
of IDs and shares, just some of the additional information is restricted.
restrictanonymous=2 can break a number of things such as domain controllers,
print servers, etc. [I'm not sure RestrictAnonymous=2 is valid for XP,
instead XP also has a RestrictAnonymousSAM value as well.]

Relevant Pages

  • Re: Apparent NetBIOS Attack - How Dangerous?
    ... so it seems that IPSec's 'firewall' is working. ... I will read the NSA security configuration guides. ... NetBIOS problem seeems to be taken care of. ... > for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, ...
    (microsoft.public.win2000.security)
  • RE: Patching a Firewall
    ... NetBIOS has been disabled, since the shares don't exist without NetBIOS. ... In my opinion the OS used for a firewall is not really a big deal, ... need to hack the registry to turn off the administrative shares. ... >>Captus Networks ...
    (Security-Basics)
  • Re: grc.com news server down?
    ... etc.) were a real problem a few years ago. ... There's no doubt that implementing wide ranging and sound security ... He said there was no danger in leaving NetBIOS enabled, ... My ISP wouldn't allow a router, but they did permit a "firewall". ...
    (comp.security.firewalls)
  • Re: two winxp home machines, varied results
    ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Patching a Firewall
    ... NetBIOS and stopping the services you aren't using. ... It is difficult and intricate to harden a Windows box sufficiently to ... Any changes made to the firewall ... >>Captus Networks ...
    (Security-Basics)
Loading