Bugtraq mailing list archives
Re: [NTSEC] Re: @LERT - NT security flaw announcement
From: colins () MICROSOFT COM (Colin Surprenant)
Date: Mon, 21 Apr 1997 08:50:11 -0700
The first thing to do is always to unbind NETBIOS from the interface connected on the Internet (as Aleph One noted in the "BUILT-IN ANONYMOUS USER BACK DOOR" message). NETBIOS is usually NOT needed for web or ftp servers. A lot of security holes can be nailed down - and specifically this one - by unbinding NETBIOS. This is of course not always a viable solution. Colin Surprenant - colins () microsoft com SOFTIMAGE|IS Microsoft ITG -----Original Message----- From: Aleph One [SMTP:aleph1 () DFW NET] Sent: Saturday, April 19, 1997 11:53 PM To: BUGTRAQ () NETSPACE ORG Subject: [NTSEC] Re: @LERT - NT security flaw announcement There is an easier way to stop the registry part of the problem that I've overlooked until just now (doh!). Go into HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers Create a key called winreg Set the security on it however you like, but do NOT give "everyone" any access. (also do not give "everyone" NO access, since YOU are also a member of everyone - just don't have an entry in the ACL for everyone). Reboot. Poof - part of the problem is now solved. I still recommend using the everyone2user tool anyway - tends to keep down mischief. If/when I figure out how to fix more of it, I'll let everyone know. BTW, the 4.3 version of the ISS Internet Scanner _will_ have a check for the presence of this key and whether everyone has any access. I'll have it coded in the next 10 minutes... <g> ----------------------------------------------------------- David LeBlanc | Voice: (770)395-0150 x138 Internet Security Systems, Inc. | Fax: (404)395-1972 41 Perimeter Center East | E-Mail: dleblanc () iss net Suite 660 | www: http://www.iss.net/ Atlanta, GA 30328 |
Current thread:
- [NTSEC] Re: @LERT - NT security flaw announcement Aleph One (Apr 19)
- <Possible follow-ups>
- Re: [NTSEC] Re: @LERT - NT security flaw announcement Colin Surprenant (Apr 21)