Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [NTSEC] Re: @LERT - NT security flaw announcement
From: colins () MICROSOFT COM (Colin Surprenant)
Date: Mon, 21 Apr 1997 08:50:11 -0700


The first thing to do is always to unbind NETBIOS from the interface
connected on the Internet (as Aleph One noted in the "BUILT-IN ANONYMOUS
USER BACK DOOR" message). NETBIOS is usually NOT needed for web or ftp
servers.

A lot of security holes can be nailed down - and specifically this one -
by unbinding NETBIOS. This is of course not always a viable solution.

Colin Surprenant - colins () microsoft com
SOFTIMAGE|IS  Microsoft ITG


        -----Original Message-----
        From:   Aleph One [SMTP:aleph1 () DFW NET]
        Sent:   Saturday, April 19, 1997 11:53 PM
        To:     BUGTRAQ () NETSPACE ORG
        Subject:        [NTSEC] Re: @LERT - NT security flaw
announcement

        There is an easier way to stop the registry part of the problem
that I've
        overlooked until just now (doh!).

        Go into
HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers

        Create a key called winreg

        Set the security on it however you like, but do NOT give
"everyone" any access.
        (also do not give "everyone" NO access, since YOU are also a
member of
        everyone - just don't have an entry in the ACL for everyone).

        Reboot.

        Poof - part of the problem is now solved.

        I still recommend using the everyone2user tool anyway - tends to
keep down
        mischief.

        If/when I figure out how to fix more of it, I'll let everyone
know.

        BTW, the 4.3 version of the ISS Internet Scanner _will_ have a
check for the
        presence of this key and whether everyone has any access.  I'll
have it
        coded in the next 10 minutes... <g>

        -----------------------------------------------------------
        David LeBlanc                   | Voice: (770)395-0150 x138
        Internet Security Systems, Inc. | Fax:   (404)395-1972
        41 Perimeter Center East        | E-Mail:  dleblanc () iss net
        Suite 660                       | www: http://www.iss.net/
        Atlanta, GA 30328               |



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault