Remote Windows User List Disclosure Vulnerability

Hi everybody,

We use a tool that audit our servers in order to avoid
vulnerabilities.I=B4ve a DC w2003 with the following vulnerability:
Remote Windows User List Disclosure Vulnerability. That means that a
null session connection to the IPC$ share was successful and NetBIOS
access can be obtained with any authenticated account on that host.
Therefore unauthorized users can steal the remote user list. This kind
of attack is commonly exploited by users with weak passwords, such as
the GUEST account.

Microsoft has published this article:
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;246261

The values for w2000 and w2003 are different. I=B4ve read that in w2003
in order to restrict anonymous you can only use 0 for disable and 1
for enable it. Meanwhile, in windows 2000 you have one more possible
value, 2. Anyway, I=B4ve try to set it to 1 or 2 without success. I=B4ve
also disabled the posibility of enumerate sam accounts and shares
trought the domain controller security policy.

After restarting the server I obtain again the vulnerability in that
server.

Any idea about this issue?

Your help would be much appreciated,

Regards.

Victor Fdez-Pe=F1aranda

Karl
Tue May 16 09:34:46 CDT 2006

Both Win2003 and 2000 have the same capabilities here. With Windows 2000,
this is done with the Registry value RestrictAnonymous = 0, 1 or 2. With XP
and 2003, this value can only be 0 or 1, but there is a second registry
value called RestrictAnonymousSAM = 0 or 1 that gives you the other
functionality.

On some servers like domain controllers, some things may break, especially
for versions of Windows prior to XP and 2000, if you restrict null session
information too much.

Also note that attackers can log on remotely using the SID, even with null
sessions disabled. So blocking this null session information only helps you
so much.

There's a good site www.securityfriday.com with articles about what these
registry values do and don't do, and there's also a free tool GetAcct at
that site that helps you see what you can and can't see with various
settings selected.


"Victor Fdez-Peñaranda" <vic.fernandez@telefonica.net> wrote in message
news:1147786085.573541.189640@j73g2000cwa.googlegroups.com...
Hi everybody,

We use a tool that audit our servers in order to avoid
vulnerabilities.I´ve a DC w2003 with the following vulnerability:
Remote Windows User List Disclosure Vulnerability. That means that a
null session connection to the IPC$ share was successful and NetBIOS
access can be obtained with any authenticated account on that host.
Therefore unauthorized users can steal the remote user list. This kind
of attack is commonly exploited by users with weak passwords, such as
the GUEST account.

Microsoft has published this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261

The values for w2000 and w2003 are different. I´ve read that in w2003
in order to restrict anonymous you can only use 0 for disable and 1
for enable it. Meanwhile, in windows 2000 you have one more possible
value, 2. Anyway, I´ve try to set it to 1 or 2 without success. I´ve
also disabled the posibility of enumerate sam accounts and shares
trought the domain controller security policy.

After restarting the server I obtain again the vulnerability in that
server.

Any idea about this issue?

Your help would be much appreciated,

Regards.

Victor Fdez-Peñaranda

vic
Tue May 16 09:53:30 CDT 2006

Hi Karl,

I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?

Thanks again,

Regards.

Victor Fdez-Pe=F1aranda.

vic
Tue May 16 09:54:30 CDT 2006

Hi Karl,

I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?

Thanks again,

Regards.

Victor Fdez-Pe=F1aranda.

Roger
Tue May 16 10:12:02 CDT 2006

Try using RSoP capability, such as is available within the
Group Policy Management Console (GPMC from the
microsoft.com/downloads site), in order to see what is
setting the value back to 0 if this is being caused by the
application of a GPO.


"Victor Fdez-Peñaranda" <vic.fernandez@telefonica.net> wrote in message
news:1147791269.925678.66710@i40g2000cwc.googlegroups.com...
Hi Karl,

I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?

Thanks again,

Regards.

Victor Fdez-Peñaranda.

Steven
Tue May 16 12:53:41 CDT 2006

As Roger said you can use RSOP to see what Group Policy is enforcing that
setting. However it seems as if you are being overly concerned about the
ability of users to obtain the list of users. If that is so possibly you are
not enforcing strong passwords in your domain which would be a much much
bigger concern. Also your concern about remote users can be mitigated by
using l2tp from VPN access which will require that computers must
authenticate before a user can even attempt to authenticate via
certificates. You might also want to consider smart card authentication for
sensitive accounts. --- Steve


"Victor Fdez-Peñaranda" <vic.fernandez@telefonica.net> wrote in message
news:1147791269.925678.66710@i40g2000cwc.googlegroups.com...
Hi Karl,

I knew that I can enable this capability using 1 for that value in the
registry for w2003/xp. What is happening in our environment is that
after a certain period of time the restrictanonous is automatically set
to 0. Maybe there is a domain policy that is overwritting the value. Do
you know where could I find it?

Thanks again,

Regards.

Victor Fdez-Peñaranda.

vic
Wed May 17 04:27:32 CDT 2006

Hello again,

The problem isn=B4t that I=B4m overly concerned about the ability of user
to obatin the list of users :). We are using complex passwords and also
strong security with remote users in the domain. What is happening is
that when I set this value to 1 is automatically changed to 0 after a
certain period of time in the restrictanonymous. So, I think that in
the same way that if I enable the Policy Network Access: Do not allow
anonymous enumarition of the sam and shares the associated registry
value for the restrictanonymoussam is set to 1 I want to find what is
the associated polity to the restrictanonymous registry value but
nobody has knew to say me. I think that we have an environment quite
secure but everytime our manager sees a level 4 vulnerability (Remote
Windows User List Disclosure Vulnerability) asks us about this. We only
have xp/2000/2003 workstations/servers, so I suppose that we=B4re not
going to have any problem in that way. But I=B4ve been reading about
this issue and nobody gave me a solution. As I said I don=B4t know the
associated policy so I can=B4t use rsop to view wih gpo is activated for
that setting.

Did you understand me?

Thanks a lot for your help one more time,

Kind regards,

Victor Fdez-Pe=F1aranda

Roger
Wed May 17 08:19:30 CDT 2006

Yes, we understand you Victor.
Use of the Resultant Set of Policy feature is the most direct
way to determine whether the resetting of the value is due to
another settings somewhere in a group policy object.


"Victor Fdez-Peñaranda" <vic.fernandez@telefonica.net> wrote in message
news:1147858052.225792.60600@y43g2000cwc.googlegroups.com...
Hello again,

The problem isn´t that I´m overly concerned about the ability of user
to obatin the list of users :). We are using complex passwords and also
strong security with remote users in the domain. What is happening is
that when I set this value to 1 is automatically changed to 0 after a
certain period of time in the restrictanonymous. So, I think that in
the same way that if I enable the Policy Network Access: Do not allow
anonymous enumarition of the sam and shares the associated registry
value for the restrictanonymoussam is set to 1 I want to find what is
the associated polity to the restrictanonymous registry value but
nobody has knew to say me. I think that we have an environment quite
secure but everytime our manager sees a level 4 vulnerability (Remote
Windows User List Disclosure Vulnerability) asks us about this. We only
have xp/2000/2003 workstations/servers, so I suppose that we´re not
going to have any problem in that way. But I´ve been reading about
this issue and nobody gave me a solution. As I said I don´t know the
associated policy so I can´t use rsop to view wih gpo is activated for
that setting.

Did you understand me?

Thanks a lot for your help one more time,

Kind regards,

Victor Fdez-Peñaranda

Steven
Wed May 17 11:46:43 CDT 2006

Well I am glad you are enforcing strong passwords. Your description is that
Group Policy refresh is changing the value via some GPO. Logon to the
computer and runrsop.msc on it and look for the security options in question
under computer configuration/Windows settings/security settings/security
options. You most likely will see an entry for the setting in question and
then check the source GPO. That is what is enforcing that Group Policy
setting. You can also run Resultant Set of Policy on a Windows 2003 domain
controller in planning or logging mode for the computer in question. The
link below shows how to use RSOP in more detail. --- Steve

http://www.windowsecurity.com/articles/Generating-Resultant-Set-Policy-Queries.html

"Victor Fdez-Peñaranda" <vic.fernandez@telefonica.net> wrote in message
news:1147858052.225792.60600@y43g2000cwc.googlegroups.com...
Hello again,

The problem isn´t that I´m overly concerned about the ability of user
to obatin the list of users :). We are using complex passwords and also
strong security with remote users in the domain. What is happening is
that when I set this value to 1 is automatically changed to 0 after a
certain period of time in the restrictanonymous. So, I think that in
the same way that if I enable the Policy Network Access: Do not allow
anonymous enumarition of the sam and shares the associated registry
value for the restrictanonymoussam is set to 1 I want to find what is
the associated polity to the restrictanonymous registry value but
nobody has knew to say me. I think that we have an environment quite
secure but everytime our manager sees a level 4 vulnerability (Remote
Windows User List Disclosure Vulnerability) asks us about this. We only
have xp/2000/2003 workstations/servers, so I suppose that we´re not
going to have any problem in that way. But I´ve been reading about
this issue and nobody gave me a solution. As I said I don´t know the
associated policy so I can´t use rsop to view wih gpo is activated for
that setting.

Did you understand me?

Thanks a lot for your help one more time,

Kind regards,

Victor Fdez-Peñaranda