Re: anonymous logon

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/06/04

  • Next message: Jeff Cochran: "Re: server management URGENT!!!!" 
    Date: Wed, 06 Oct 2004 02:32:17 GMT

    It creates a "null" sessions to the target computer. Ipc$ is the inter
    process communication share [I think that is the name] which the operating
    system uses legitimately for null/unauthenticated sessions for tasks like
    maintaining the browse list. If you run the net share command on a computer
    you will see the ipc$ share if file and print sharing is enabled. The /u
    specifies the username for the connection to the share and the "" indicates
    anonymous connection. A malicious user can use null sessions to enumerate
    information about a computer such as the users, groups, and shares on it
    which is one reason why you want to protect your computer from the internet
    with a firewall. The links below will explain in more detail. --- Steve

    http://support.microsoft.com/?kbid=246261 -- description on some of the
    uses of anonymous sessions.
    http://www.sans.org/rr/papers/index.php?id=286 -- good paper on null
    sessions.

    "nandkisham" <nandkisham.1dohce@mail.mcse.ms> wrote in message
    news:nandkisham.1dohce@mail.mcse.ms...
    >
    > Hi Steve:
    >
    > can you explain me what exaclty this command does
    >
    > net use \\servername\ipc$ """" /u:""
    >
    > i mean, what us 'ipc' and 'u:'
    >
    > thanks,
    >
    > nandu.
    >
    > please send the reply to nandu@temple.edu
    >
    >
    >
    >
    > Steven Umbach wrote:
    >> *These may be normal and are "null" sessions used by Windows
    >> networking for
    >> various processes such as maintaining the browse list [you can try to
    >> create one
    >> by using net use \\servername\ipc$ """" /u:"" ]. They can be
    >> exploited from
    >> untrusted networks to try to enumerate user/group info on the
    >> computer which
    >> would be indicated by a large number of failed logon attempts using
    >> non default
    >> user names. To protect yourself, a properly configured firewall is
    >> needed. If
    >> you have file and print sharing enabled on your server make sure it
    >> is disabled
    >> on the external/public nic or better yet uninstall it from the server
    >> if it is
    >> not needed to offer shares or remotely manage the computer via
    >> Computer
    >> Management. If this is also not a domain controller, you may try
    >> configuring the
    >> security option in Local Security Policy for additional restrictions
    >> for
    >> anonymous connections to be "no access without explicit anonymous
    >> permissions".
    >> In addition, if you have not done so it would be a good idea to run
    >> Microsoft
    >> Baseline Security Analyzer on your server and the highly recommended
    >> IISLockdown
    >> tool, but only after backing up the server and IIS configuration
    >> using the IIS
    >> Management Console/servername/action/backup & restore configuration
    >> since if you
    >> do not pay close attention, wanted virtual directories may be deleted
    >> during the
    >> process. --- Steve
    >>
    >> http://tinyurl.com/swcx
    >> http://tinyurl.com/4lm94
    >>
    >> "Sandy" <anonymous@discussions.microsoft.com> wrote in message
    >> news:cb6301c3ee7b$f20ad490$a001280a@phx.gbl...
    >> > I'm getting a lot of these messages on my webserver ---
    >> > the guest account is disabled but obviously IUSR_, IWAM_
    >> > is enabled..
    >> >
    >> > Event Type: Success Audit
    >> > Event Source: Security
    >> > Event Category: Logon/Logoff
    >> > Event ID: 538
    >> > Date: 2/8/2004
    >> > Time: 12:44:08 PM
    >> > User: NT AUTHORITY\ANONYMOUS LOGON
    >> > Computer: NS4
    >> > Description:
    >> > User Logoff:
    >> > User Name: ANONYMOUS LOGON
    >> > Domain: NT AUTHORITY
    >> > Logon ID: (0x0,0x1895F3E)
    >> > Logon Type: 3
    >> >
    >> >
    >> > Any insight would be appreciated - as this is VERY
    >> > unnerving
    >> > Thanks *
    >
    >
    >
    > --
    > nandkisham
    > ------------------------------------------------------------------------
    > Posted via http://www.mcse.ms
    > ------------------------------------------------------------------------
    > View this thread: http://www.mcse.ms/message373763.html
    >

  • Next message: Jeff Cochran: "Re: server management URGENT!!!!"

    Relevant Pages

    • Re: Browser as Platform (was DesignBais - Impressive)
      ... storing state on the client -- will sessions be managed on the client, ... Given the security on ... trying to work without a Java app-server, like tomcat, on the server. ...
      (comp.databases.pick)
    • Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
      ... server for successful anonymous logoff which indicates that these events may ... Client for Microsoft Networks enabled on your server is causing the null ... > In your response, you mentioned 'null sessions'. ... > Computer Browser service is disabled on ...
      (microsoft.public.win2000.security)
    • NULL IPC$ Sessions
      ... information from your server. ... Password | Password Does Not Expire ... computer that can have a NULL IPC$ session connected to it. ... Go Beyond PARTIAL Security: FREE White Paper ...
      (NT-Bugtraq)
    • RE: Terminal server exeeded the maximum number of allowed connections
      ... server, please perform the following steps to see whether other users are ... Remote Desktop connections yours? ... double-click RDP-Tcp in the Connections folder and click the Sessions tab. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: Ipc$ share hack
      ... OS, version, Active Directory or not, any security ... It's not to any hacker's advantage to turn off IPC$. ... playing with securing the server. ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)