Re: nessus scan

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 06/25/04

Next message: serg: "Can't delete folders"

Previous message: Matthew Mucker [MSFT]: "RE: Problems with user accounts/security settings"
In reply to: BOFH: "Re: nessus scan"
Next in thread: Joe Richards [MVP]: "Re: nessus scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Jun 2004 22:06:53 GMT

The Threats and Countermeasures guide that I referenced before explains it about
as well as anything I have seen along with reommendations. In W2K there was
basically one configuration setting while Windows 2003 and XP Pro have about
seven settings to restrict anonymous access for more granular control. -- Steve

"BOFH" <bofh1234@hotmail.com> wrote in message
news:%23mg7gJiWEHA.2844@TK2MSFTNGP09.phx.gbl...
> Thank you for the information. I think that this needs to documented
> somewhere in a KB article. This looks like a little change from the way
> windows 2000 server did things.
>
> BOFH1234
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:svECc.103532$eu.72794@attbi_s02...
> > Null sesions do not really enable guest access to resources. They are used
> > for various networking processes including maintaining the browse list,
> > downlevel trusts, and for changing passwords before a user logs onto the
> > computer in certain cases. Null sessions can allow unuathenticated access
> to
> > enumerate share, user, group, and other information. This information can
> be
> > used to mount an attack against a computer or a domain though a properly
> > configured firewall will prevent untrusted networks from obtaining that
> > information. Null sessions do NOT allow unauthenticated access to data on
> > shares. Enabling the "guest account" will allow unauthenticated access to
> > shares that have everyone permissions including ntfs permissions and the
> > user right to access this computer from the network. The setting of 1 is
> > good compromise for most domain controllers as 2 will even cause problems
> > when XP Pro users try to change their domain passwords at logon. Setting
> it
> > at 2 may be fine for domain workstations and servers if you are not using
> > downlevel clients to access those servers. If you have a properly
> configured
> > firewall, and account lockout policy, enforce complex passwords, and
> enable
> > auditing for account logons events and account management on domain
> > controllers and logon events on your servers, I would not be too concerned
> > about leaving null access at 1. I am not that that familair about null
> > access to ldap. I suggest also posting to the win2000.Active_directory
> > newsgroup about that issue. --- Steve
> >
> >
> http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch05.mspx --
> > - read more about null/anonymous access at the link including potential
> > impact.
> >
> http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.
> > mspx -- and here under additional restrictions for anonymous access under
> > security options
> >
> > "BOFH" <bofh1234@hotmail.com> wrote in message
> > news:u7XJWpgWEHA.204@TK2MSFTNGP10.phx.gbl...
> > > As a part of our new policy to port scan everything several times a year
> > > using nessus, we have come across a couple of things when scanning our
> > > fully patched windows 2003 enterprise servers:
> > >
> > > 1. It was possible to log into the remote host using a NULL session.
> The
> > > concept of a NULL session is to provide a null username and a null
> > password,
> > > which grants the user the 'guest' access.
> > >
> > > To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261
> > > (Windows 2000).
> > > Note that this won't completely disable null sessions, but will prevent
> > them
> > > from connecting to IPC$
> > > Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
> > >
> > > I have set the restrictanonymous registry key to 1 and 2 (with reboots
> > > between the changes) and every scan I run I always get the above
> message.
> > > Is there a way to disable 'guest' access? Is there some KB Article I
> > missed
> > > that discusses NULL sessions and windows 2003?
> > >
> > > 2. How do I disable NULL BIND on my LDAP servers? I am not running
> > > exchange.
> > >
> > > Thank you for your time,
> > >
> > > BOFH1234
> > >
> > >
> >
> >
>
>

Next message: serg: "Can't delete folders"

Previous message: Matthew Mucker [MSFT]: "RE: Problems with user accounts/security settings"
In reply to: BOFH: "Re: nessus scan"
Next in thread: Joe Richards [MVP]: "Re: nessus scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Outlook express
... I recently purchased a Dell and still want to use Outlook ... no matter what computer you use to access your account. ... still go through all of your accounts with passwords and change them. ... Email goes to your ISP's servers, ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: nessus scan
... Null sessions do NOT allow unauthenticated access to data on ... > when XP Pro users try to change their domain passwords at logon. ... > downlevel clients to access those servers. ... > auditing for account logons events and account management on domain ...
(microsoft.public.win2000.security)
Re: MS Exchange Relay Authentication
... I've seen this on a few servers in various environments. ... The account was still named Administrator ... It seems that account passwords are being cracked. ...
(NT-Bugtraq)
Account lockout after changing password.
... passwords. ... logs on and accesses a resource the account locks out. ... We are running a Windows 2000 network mixed mode though ... All Windows 2000 servers are running ...
(microsoft.public.win2000.security)
Re: Account lockouts
... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
(microsoft.public.security)