OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NetUserModalsGet() and NT/Win2K Password Policy
From: David LeBlanc (dleblancMINDSPRING.COM)
Date: Wed Nov 01 2000 - 15:57:57 CST

At 12:30 PM 10/21/00 -0500, Peyton Engel wrote:
>Hello,

>I was poking around with the Win32 networking API
>recently, and I found something interesting. It's not
>a new issue, though my initial search didn't reveal
>anything else that takes advantage of the principle:
>NetUserModalsGet() requires no authentication, just
>the establishment of a NULL NetBIOS session. This
>fact has actually been observed on the list before:

I reported this to Microsoft while I was working at ISS, and it was first
fixed in the lsa2_fix NT 4.0 hotfix in spring 1998. One might note that
this was done without any real prompting on my part - they just fixed it.
Seems that things can and do get fixed without overblown advisories and
public floggings. But I digress. There's a KB article explaining this
behavior that accompanied the fix. The reason for the behavior is to be
able to give users better error messages about why they can't log on, etc.
If you're remotely up to date on NT 4.0 service packs or running Win2k,
setting RestrictAnonymous=1 will stop this API from working across an
anonymous session.

Additionally, the ISS Scanner has had a check for this since very shortly
after Microsoft provided a fix - I think it shipped in 5.0, though possibly
not until later - it's been a long time, and I don't remember. I think
they're on 6.1 now. Also, you'll find that the most recent SDK does contain
much more accurate information about the actual access levels needed to
make the Net*() API calls, and should contain information about how
behavior varies with RestrictAnonymous. If any inaccuracies remain, please
drop me a line and I'll see about getting them corrected.

David LeBlanc
dleblancmindspring.com