|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: name of built-in administrator
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: name of built-in administrator
- From: David LeBlanc <dleblancMINDSPRING.COM>
- Date: Thu, 30 Apr 1998 10:03:24 -0400
- Comments: To: Luke Kenneth Casson Leighton <lkclregent.push.net>
- In-Reply-To: <Pine.LNX.3.96.980430122932.130H-100000regent>
- Reply-To: David LeBlanc <dleblancMINDSPRING.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
At 12:40 PM 4/30/98 +0000, Luke Kenneth Casson Leighton wrote: >On Tue, 28 Apr 1998, David LeBlanc wrote: >> At this time, there is no fix for this, except to filter connections to >> port 139. I've tried a couple of things I thought would fix it, but found >> that it caused severe problems. So, at the moment, if you can get a null >> session, you can dump all the users, groups, and machine accounts. You can >> also cause some other problems, but they are a little arcane, and MS has >> been advised (I only found it this morning, trying to make a fix for this). >> There isn't anything you can do to stop the other problems, except filter >> 139, so... >> IMHO, we should be able to control whether or not NT accepts null sessions. >the reason that null sessions [to IPC$] are allowed is so that >non-critical information can be made available (such as browsing >information). I understand this. I think we should be able to decide whether we're going to provide anything at all to a null session. Ideally, we should also be able to turn on and off anything which is provided to a null session. >there are info levels to all IPC$ (and dce/rpc \PIPE\some_service calls). >certain levels require no user/pass/domain identification (usually info >levels 0 and 1 or 100 and 101) which implies that an anonymous (null >session) connection is accepted; some levels require user/pass/domain >identification (levels around 1-2, or 101 to 102); some require >administrator rights (usually levels 3, 103 and above and 1001 and above). These correspond to the level argument of all the NetXXX() calls. >unfortunately, something went wrong somewhere with the permissions for the >above accounts. i therefore suspect this to be another manifestation of >the "red button" bug, which means that it would be useful for someone to >confirm this by setting the "RestrictAnonymous" registry entry. No, this is documented behavior. The LookupAccountXXX() calls are documented to work across a null session. It must pose some relatively sticky problem to disallow this. >> It is possible they are doing something about this in SP4 - they didn't >> tell me whether, how or when they planned to fix it. >obviously, setting "RestrictAnonymous" doesn't help you against malicious >users with an account: that would require something like "RestrictUser", >but at what point do you draw the line? do you cover the >SamrQueryDisplayInfo call (which is another security hole as far as >malicious users are concerned), too? No - all of this can come across a null session, not an authenticated user session. The NetQueryDisplayInfo() call won't return users if RestrictAnonymous has been set - I haven't tried the other two ways to call it. >i think microsoft have their work cut out on this one... Agreed. David LeBlanc dleblanc
- Prev by Date: Re: name of built-in administrator
- Next by Date: Re: Is PPTP secure?
- Prev by thread: Re: name of built-in administrator
- Next by thread: Re: name of built-in administrator
- Index(es):