Re: Apparent NetBIOS Attack - How Dangerous?

From: Thomas (email_at_isin.my.message.com)
Date: 12/13/04 

Date: Mon, 13 Dec 2004 15:46:50 -0300

Thank you for your comments and links. It is interesting to see how much
information (and eventally, access!) others can obtain with NetBIOS.

Fortunately, I finally managed the problem by setting a fixed IPSec policy
to block all incoming and outgoing TCP and UDP packets through all
NetBIOS/SMB-related ports. Since then, I have not noticed any further login
attempts, so it seems that IPSec's 'firewall' is working. I still notice
that the individuals are trying to get the account list, this time without
success.

I will read the NSA security configuration guides. For now, at least, the
NetBIOS problem seeems to be taken care of.

Regards,

Thomas

"Karl Levinson, mvp" <levinson_k@despammed.com> schrieb im Newsbeitrag
news:OvwqgYR4EHA.2572@tk2msftngp13.phx.gbl...
> ... for more information on how to secure this and what can break at the
> various settings, go to www.nsa.gov/snac and download the Windows 2000
group
> policy guide, think it's the third document, and search it for
> "restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
> though it doesn't block all enumeration, just blocks some details from
being
> seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
> NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
> for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both
of
> which can be either 0 or 1. Search www.google.com for
RestrictAnonymousSAM
> if you need more information on XP and 2003 settings.
>
> More information on why this happens and what can be seen are at
> www.securityfriday.com There is a presentation / article on netbios null
> sessions, and the free getacct tool lets you see what the hackers can see.
>
> I concur that it sounds like you have no firewall or a misconfigured
> firewall and you should not be surprised that hackers can get into your
> domain controllers. Windows is not secure until you secure it.
> www.microsoft.com/technet/security, www.nsa.gov/snac and
> www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.
>
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uKNKGxM4EHA.924@TK2MSFTNGP14.phx.gbl...
> > Aside from failing to use a firewall, you possibly do not have policies
> set
> > to that you Do not all anonymous enumeration of SAM accounts and shared
> > This allows a remote to easily list out your account names and groups,
> > and attracts further effort due the appearance of an easy meal.
> > The anonymous enumeration settings can be found in the security
> > setting options of the local security policy, although slightly
> differently
> > worded depending on OS version.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCDBA, MCSE W2k3+W2k+Nt4
> > "Thomas" <email@isin.my.message.com> wrote in message
> > news:cpira1$hjp$1@ngspool-d02.news.aol.com...
> > >I have been noticing, after checking Windows 2000's Event Viewer's
> security
> > > protocol, that some individual (from the Internet) is attempting to
log
> > > into
> > > our computer. The attempts --fortunately all failed, so far-- start
> > > occurring a few minutes after I establish a PPPoE Internet connection,
> and
> > > cease after some time. When the attacks begin, they occur for several
> > > minutes, sometimes every two or three seconds, sometimes every 10-60
> > > seconds, sometimes just once or twice.
> > >
> > > In the Event Viewer, the alerts look like the following one:
> > >
> > > The logon to account: <Local account name here>
> > > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > from workstation: 0WEWCKG1
> > > failed. The error code was: 3221225578
> > >
> > > The error type is 681.
> > >
> > > Strangely, the individual basically uses every account available in
our
> > > system. That is, if we have the accounts Administrator, Peter, Thomas,
> > > Jane,
> > > then the user attempts to login with one or more of these accounts.
How
> is
> > > it possible that our full account list is known to someone on the
> > > Internet?
> > >
> > > As the login attempts occur after packets are sent to local port 137
> > > (NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
> > > still
> > > won't stop. The user still obtains our account list, and the failed
> logins
> > > still appear on the Event Viewer security protocol.
> > >
> > > What can be done in order to remedy this situation? If the subject
> > > discovers
> > > the password for one account, would it be possible for him to
eventually
> > > "login" successfully, in spite of NetBIOS over TCP/IP being disabled?
In
> > > that instance, how much access does he actually have, and how much
> damage
> > > can he do? In advance, I appreciate any information you can provide.
> > >
> > > Regards,
> > >
> > > Thomas
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: grc.com news server down?
    ... etc.) were a real problem a few years ago. ... There's no doubt that implementing wide ranging and sound security ... He said there was no danger in leaving NetBIOS enabled, ... My ISP wouldn't allow a router, but they did permit a "firewall". ...
    (comp.security.firewalls)
  • Re: How Important Is NetBIOS
    ... ZA's "security levels" or whatever they're called blocks ... off these ports on the internet side if set properly. ... router with a firewall that is already doing this. ... > I can trace back to programs, but I was wondering about how useful NetBIOS ...
    (comp.security.firewalls)
  • Re: ftp Log reveals attackers have knowledge of Admin usernames
    ... firewall or your firewall is not blocking NetBIOS traffic. ... print servers, etc. [I'm not sure RestrictAnonymous=2 is valid for XP, ... instead XP also has a RestrictAnonymousSAM value as well.] ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Messenger Service
    ... Could someone please point me towards the relevant site! ... > If you have a firewall enabled and are still receiving messenger ... > Inbound NetBIOS. ... > Security Scan - Sygate Online Services ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: how to shut off netbios-ns/port:137 (udp)
    ... m/freeDownload.jsp Actually the built in security policy ... is capable of blocking netbios attacks but as the previous ... Settings -> Security Settings. ... security rule consists of two key components: an IP filter ...
    (microsoft.public.security)