Re: [NTSEC] Re: @LERT - NT security flaw announcement
Colin Surprenant (colins@MICROSOFT.COM)
Mon, 21 Apr 1997 08:50:11 -0700
The first thing to do is always to unbind NETBIOS from the interface
connected on the Internet (as Aleph One noted in the "BUILT-IN ANONYMOUS
USER BACK DOOR" message). NETBIOS is usually NOT needed for web or ftp
servers.
A lot of security holes can be nailed down - and specifically this one -
by unbinding NETBIOS. This is of course not always a viable solution.
Colin Surprenant - colins@microsoft.com
SOFTIMAGE|IS Microsoft ITG
-----Original Message-----
From: Aleph One [SMTP:aleph1@DFW.NET]
Sent: Saturday, April 19, 1997 11:53 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: [NTSEC] Re: @LERT - NT security flaw
announcement
There is an easier way to stop the registry part of the problem
that I've
overlooked until just now (doh!).
Go into
HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers
Create a key called winreg
Set the security on it however you like, but do NOT give
"everyone" any access.
(also do not give "everyone" NO access, since YOU are also a
member of
everyone - just don't have an entry in the ACL for everyone).
Reboot.
Poof - part of the problem is now solved.
I still recommend using the everyone2user tool anyway - tends to
keep down
mischief.
If/when I figure out how to fix more of it, I'll let everyone
know.
BTW, the 4.3 version of the ISS Internet Scanner _will_ have a
check for the
presence of this key and whether everyone has any access. I'll
have it
coded in the next 10 minutes... <g>
-----------------------------------------------------------
David LeBlanc | Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (404)395-1972
41 Perimeter Center East | E-Mail: dleblanc@iss.net
Suite 660 | www: http://www.iss.net/
Atlanta, GA 30328 |