Home page logo
/

basics logo Security Basics mailing list archives

Re: workgroup
From: "Vic Parat" <vic.parat () nssecurity com>
Date: Tue, 11 Feb 2003 09:55:45 -0800

Kenzo,
  This reason you're seeing windows workgroup "pop up" is that they
broadcast their names every so often and that broadcast is cached.  Going to
ad will not stop the broadcast and they will still show up.  Workgroups are
base on a peer to peer model where accounts are held locally to each
machine, you really couldn't get in unless you had an account on each
machine belonging to the workgroup.  Regardless of the local policy, they
will still need to broadcast their nbt name table which you can capture via
your local nbt cache: c:\nbtstat -c.  At which point you can look them up
via: c:\nbtstat -A xxx.xxx.xxx.xxx (their ip address).  Look for any nbt
types <03> (messenger service), it will should list their computer name and
the currently logged on account.  This all assuming they have not disabled
NetBIOS on their network interface, in which all of this is mute including
the name broadcast.  You can also look at your current leases on your dhcp
server.
Side note: you're given your end users a lot of credit regarding their
technical knowledge.  My experience shows that users don't know a thing
about workgroups, local policies, or protocol filtering.  They just plug in
and expect to be able to do their job.
Vic Parat

----- Original Message -----
From: "Kenzo" <kenzo_chin () hotmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, February 11, 2003 8:31 AM
Subject: workgroup


I was wondering if there's a way to see who's in a windows workgroup.
Yes, my work still use windows workgroup.  I 've been trying to change
that
to AD so that the guys to have to run around just to install updates.
Getting there slowly.
Anyways, I've notice that sometimes a workgroup will just pop up. Most of
the time when someone brings in a laptop from home and plugs it in, it
will
do that.  But now, In windows 2000, you have an option that you can set so
that no one can get in your computer( I believe in the local security
policy), so anyone trying to go into the workgroup won't be able to.
Usually if someone bring in their laptop, they let us know ahead of time
to
make sure that it's ok, but what if someone did come in and set their
computer to block all access to it, how can I see who it is. Like the
computer name or IP address.

Thanks.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault