Qualys showing "Null Session/Password NetBIOS Access" on DCs - Not Sure How/If this can be fixed.

-

greetings,

our area uses qualys vulnerability scanning , our dcs showing following vulnerabilities:


remote user list disclosure using netbios (7)
qid: 45003
category: information gathering
cve id: cve-2000-1200
vendor reference: -
bugtraq id: 959
modified: 10/08/2009
edited: no

null session/password netbios access (7)
qid: 70003
category: smb / netbios
cve id: cve-1999-0519
vendor reference: -
bugtraq id: -
modified: 10/08/


basically, appears anonymous users can generate list of domain user names , exploited via brute force attacks.   i’ve followed of steps below in ms articles listed below:

 

“it recommended disable null sessions.

before editing configuration file in production environment, changes should tested in rehearsal environment.

read microsoft documents called how use restrictanonymous registry value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and

restricting anonymous access (http://technet2.microsoft.com/windowsserver/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for

more information. if vulnerability discovered on domain controller, please note of recommended settings may not have effect. read

the microsoft article description of dcpromo permissions choices (http://support.microsoft.com/kb/257988/) more information regarding pre-windows 2000

compatible access.”

 

the thing haven’t done set restrictnullsessaccess key in hklm\system\currentcontrolset\services\lanmanserver\parameters setting (2).  it set (1)  limits not null sessions.

 

the kicker our test domain configured same way , doesn’t show on scan having these vulnerabilities?  has seen before?  our domain admins worried making change (rightly so) because think must need way , don’t want break domain.  i can’t recreate issue on test domain try fix.  security telling has fixed now! , i’m not sure can do.  any appreciated.  thanks.

i have never gotten locked down.  basically, if on network, going able poke around , use freeware scanning tools , see network.  pursuing perfection going strenuous task , result in great expense, can closely achieved...

the mitigation strategies center little around have , security practices around managing , securing ad, focus more on:

encryption – implementing pki , forcing ipsec on machines aid in fight.  port scanners can still detect port usage , able deduce information domain, if force machines encrypt network traffic, there less in terms of carte blanche response servers on network.

physical security of network – don’t let people in buildings unless supposed there.

perimeter defense – use technologies microsoft’s uag (isa , iag) , cisco pix defend external network access points , technologies similar rsa or uag secure vpn access.

logical network defense – use tools nap isolate “non-ideal” entities on physical network verify identity, antivirus , malware status.

good luck,

 

 

aaron sankey, avanade


Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

WMI Repository 4GB limit - Win 2003 Ent Question

-
Image
hi there, i've question size limit on wmi repository (being 4gb). if isn't correct place post this, apologies , can let me know wheere post this? i've come across few servers running citrix have reached limit on wmi repository size , need install ibm director agent hw monitoring. during install getting 'out of disk space' errors entered in mofcomp.log: "(mon apr 02 04:10:36 2012.172843) : error occurred while processing item 4: (mon apr 02 04:10:36 2012.172843) : error number: 0x8004103b, facility: wmi description: out of disk space" when error number http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559%28v=vs.85%29.aspx i see this: wbem_e_out_of_disk_space 2147749947 (0x8004103b) disk out of space or 4 gb limit on wmi repository (cim repository) size reached. windows xp , windows 2000/nt:   disk out of space. i'm wondering if there reason why limit set 4gb or can increase needs be? can't seem find reas...
Read more

Change home folder default permission?

-
i have searched on , can't seem find similar trying do. using windows server 2003 active directory. when create new user account on domain, use profile tab specify home directory user. when user logs in first time, active directory creates folder in specified path. working correctly. problem gives user full control on folder. has caused lot of problems because "clever" users have discovered thay can change permission on folder or subfolders beneath it. because don't want staff looking @ "sensitive" files. of course doesn't work since can take ownership of file , give myself permissions. causes trouble failed backups, inability scan these folders viruses, migration new storage etc. on occasion 1 of these users call me , ask file or folder restored, , @ point discover not have backup of files , cannot restore them. give them lecture, have on 2500 users, , can't talk them all. right have create account , login teh folder created, go take away full contr...
Read more