Description

Possible Operating System : Windows 2000 Professional ( Service Pack 2 )

Description

DCOM service started (Distributed Component Object Model).

Solution

Disable DCOM if it not needed

Description

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Solution

Install update:
http://www.microsoft.com/technet/security/bulletin/MS03-043.asp

Description

Windows updates are not installed

Risk Fix up Description 3 Service Pack 4 Latest Service Pack not installed 3 MS04-007 ASN.1 Vulnerability Could Allow Code Execution (828028) 3 MS03-049 Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) 2 MS03-045 Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) 3 MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) 3 MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035) 3 MS03-042 Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232) 3 MS03-041 Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) 1 MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105) 2 MS03-033 Unchecked Buffer in MDAC Function Could Enable System Compromise (823718) 3 MS03-023 Buffer Overrun In HTML Converter Could Allow Code Execution (823559)

Description

A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow.

An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

Solution

Install update:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp

Description

Valuable information for future attacks planning.

The list of started services :

BROWSER (Computer Browser)
ccEvtMgr (Symantec Event Manager)
dmserver (Logical Disk Manager)
Dnscache (DNS Client)
Eventlog (Event Log)
EventSystem (COM+ Event System)
IISADMIN (IIS Admin Service)
LanmanServer (Server)
lanmanworkstation (Workstation)
LmHosts (TCP/IP NetBIOS Helper Service)
MESSENGER (Messenger)
navapsvc (Norton AntiVirus Auto Protect Service)
Netman (Network Connections)
NtmsSvc (Removable Storage)
NuTCRACKERService (NuTCRACKER Service)
PlugPlay (Plug and Play)
ProtectedStorage (Protected Storage)
PTUPSERV (MaxPatrol Update Server)
RemoteRegistry (Remote Registry Service)
RpcSs (Remote Procedure Call (RPC))
SamSs (Security Accounts Manager)
seclogon (RunAs Service)
SENS (System Event Notification)
SPOOLER (Print Spooler)
WinMgmt (Windows Management Instrumentation)
Wmi (Windows Management Instrumentation Driver Extensions)

Description

It should be watched carefully what resources are shared by computer.

The list of resouces :

Classics - user
E$ (Default share) - default disk
IPC$ (Remote IPC) - default pipe
NETBIOS - user
A - user
Graphics - user
F$ (Default share) - default disk
new_soft - user
ADMIN$ (Remote Admin) - default disk
C$ (Default share) - default disk

Description

The list of user opens the possibility to determine the passwords by brute-force technique.

The list of users of host :

user : Administrator
privileges : Administrator
comment : Built-in account for administering the computer/domain
logins : 7
last connection time : Tue Jul 16 16:00:04 2002
time elapsed since last password change (days) : 586
account status : password never expires

user : Guest
privileges : Guest
comment : Built-in account for guest access to the computer/domain
logins : 10
last connection time : Fri Nov 14 13:31:31 2003
time elapsed since last password change (days) : 202
account status : login without password allowed

user : IUSR_LDESTROY
privileges : Guest
full name : Internet Guest Account
comment : Built-in account for anonymous access to Internet Information Services
logins : 0
last connection time : Wed Jun 25 17:05:15 2003
time elapsed since last password change (days) : 444
account status : login without password allowed

user : IWAM_LDESTROY
privileges : Guest
full name : Launch IIS Process Account
comment : Built-in account for Internet Information Services to start out of process applications
logins : 86
last connection time : Fri May 30 13:03:00 2003
time elapsed since last password change (days) : 444
account status : login without password allowed

user : LDESTROY
privileges : Administrator
full name : LDESTROY
logins : 630
last connection time : Mon Mar 29 13:57:19 2004
time elapsed since last password change (days) : 622
account status : password never expires

user : SQLDebugger
privileges : User
full name : SQLDebugger
comment : This user account is used by the Visual Studio .NET Debugger
logins : 0
time elapsed since last password change (days) : 4
account status : password never expires

user : test_admin
privileges : Administrator
full name : test_admin
logins : 3
last connection time : Thu Sep 11 16:57:39 2003
time elapsed since last password change (days) : 200

user : VUSR_LDESTROY
privileges : Guest
full name : VSA Server Account
comment : Account for the Visual Studio Analyzer server components
logins : 0
time elapsed since last password change (days) : 621
account status : password never expires

Description

The list of active sessions:

host : 192.168.0.10
user : OFID45F345WDF
connection duration : 00:00:01


Such list allows to find the most vulnerable host connected to server in order to attack it first and then to get priveleges on server.

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

Access to the server is granted to any user (arbitrary login/password access) .

Access to resources :

Classics - read / write
NETBIOS - read / write
Graphics - read only
new_soft - read / write

Solution

Disable guest login.

Description

Remote registry control is possible.

Solution

Disable remote registry service.

Description

Host MAC-address: 00-02-B3-8E-BE-14

Description

Computer name : LDESTROY
Domain : WORKGROUP

Description

The list of user grops:


Local groups of users :

group : Administrators
comment : Administrators have complete and unrestricted access to the computer/domain

group : Backup Operators
comment : Backup Operators can override security restrictions for the sole purpose of backing up or restoring files

group : Guests
comment : Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted

group : Power Users
comment : Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications

group : Replicator
comment : Supports file replication in a domain

group : Users
comment : Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications

group : NC_S_ISLCK


Global groups of users :

group : None
comment : Ordinary users

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

The list of transport protocols used by the host :

device (protocol) : \Device\NetBT_Tcpip_{73EFD7FE-9A74-450E-AA39-E4FA2B1F1F82}
server name : LDESTROY
network address : 0002b38ebe14
the number of connected users : 0
domain : WORKGROUP

device (protocol) : \Device\NetBT_Tcpip_{73EFD7FE-9A74-450E-AA39-E4FA2B1F1F82}
server name : LDESTROY
network address : 0002b38ebe14
the number of connected users : 0
domain : WORKGROUP

device (protocol) : \Device\NetbiosSmb
server name : LDESTROY
network address : 000000000000
the number of connected users : 0
domain : WORKGROUP

device (protocol) : \Device\NetbiosSmb
server name : LDESTROY
network address : 000000000000
the number of connected users : 1
domain : WORKGROUP

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

A null session is a NetBIOS connection made to a server by an anonymous client. Since the connection is anonymous, the client's identification field is null (hence the name) and the session is unauthenticated. As a system administrator, you should consider all information which can be obtained via a null session to be essentially public information, whether you intended this or not. Furthermore any functions which can be performed remotely via a null session may be executed by anyone, from anywhere, and you won't be able to determine who did it. Therefore it is recommended that you restrict null session access to the minimum level necessary to meet your needs.


This vulnerability report is true just if scan was performed under account with administrative rights for the host.

Solution

Windows:

1. Add the value RestrictAnonymous = 2 (Windows 2000/XP/2003) or RestrictAnonymous = 1 (Windows NT3.5/NT4.0), to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA (value type: REG_DWORD)

2. Add the value RestrictNullSessionAccess = 1, to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver (value type: REG_DWORD)

3. Reboot system to apply changes.

Samba:

Enable server access for registered users only.
Change security= share to security= user (or security = server or security = domain ) in smb.conf file.

Links

http://support.microsoft.com/support/kb/articles/q143/4/74.asp

Description

Version of Windows is Windows 2000 Professional ( Service Pack 2 )

Hotfixes installed:

KB823980
KB824146
Q147222
Q285985
Q300972
Q326830
Q811114

Description

LanManager: Windows 2000 LAN Manager
OS: Windows 5.0

Description

Possible Operating System : FreeBSD

Description

Using login "test" and password "test" it is possible to access server.

Solution

Deny access for this user.

Description

Supported protocols versions :
1.99
2.0

Description

Using login "test" and password "test" it is possible to access server and execute arbitrary commands.

Solution

Disable the account or set more complex password.

Description

Telnet is computer remote control protocol. This protocol is not secure: all traffic (including passwords) between computers is not encrypted and can be intercepted using "sniffer" program.

Solution

Use secure protocol (like SSH) or restrict access via this protocol to specific IP-addresses.

Description

Possible Operating System : Windows 2000 Server ( Service Pack 4 )

Description

No root privilege exploits are known at this time, but they may be possible (for example, if a setuid-application relies on the output of getlogin()).
This vulnerability allows for setting the login name to for example "root". Applications that trust the login name and do not check the user ID or effective user ID are vulnerable to user identity spoofing. For example false log entries can be produced on BSD systems.
A limitation to the possible exploitations of this vulnerability is that the malicious user needs to have access to some user account on the system to be able to exploit this vulnerability.

Solution

Install the latest version:
http://www.ssh.com/

Links

http://www.ssh.com/company/newsroom/article/286/

Description

Supported protocols versions :
1.99
2.0

Description

DCOM service started (Distributed Component Object Model).

Solution

Disable DCOM if it not needed

Description

Full remote access to registry key HKEY_CLASSES_ROOT is possible.

Solution

Disable remote registry service.

Description

Windows updates are not installed

Risk Fix up Description 3 MS04-007 ASN.1 Vulnerability Could Allow Code Execution (828028) 2 MS04-006 Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) 3 MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution (823980) 3 MS03-022 Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)

Description

Internet Explorer updates are not installed

Risk Fix up Description 3 Service Pack 1 Service Pack not installed 3 MS04-004 Cumulative Security Update for Internet Explorer (832894)

Description

A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow.

An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

Solution

Install update:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp

Description

It should be watched carefully what resources are shared by computer.

The list of resouces :

Video - user
VSS - user
IPC$ (Óäàëåííûé IPC) - default pipe
D$ (Ñòàíäàðòíûé îáùèé ðåñóðñ) - default disk
print$ (Äðàéâåðû ïðèíòåðîâ) - user
Reports - user
exchange - user
MaxPatrol70 - user
NETLOGON (Îáùèé ñåðâåð âõîäà ) - user
webcamv$ - user
Îò÷åòû - user
ClientsReport - user
Projects - user
CD-RW - user
users - user
Office - user
CurrentMaxPatrol - user
test - user
F$ (Ñòàíäàðòíûé îáùèé ðåñóðñ) - default disk
Music - user
2zero - user
ADMIN$ (Óäàëåííûé Admin) - default disk
SYSVOL (Îáùèé ñåðâåð âõîäà ) - user
webcam$ - user
C$ (Ñòàíäàðòíûé îáùèé ðåñóðñ) - default disk
H - user
printer (HP LaserJet 3200 Series PCL 5e) - printer
soft - user
AuditDB - user

Description

The list of user opens the possibility to determine the passwords by brute-force technique.

The list of users of host :

user : Àäìèíèñòðàòîð
privileges : Administrator
comment : Âñòðîåííàÿ ó÷åòíàÿ çàïèñü àäìèíèñòðàòîðà êîìïüþòåðà/äîìåíà
logins : 915
last connection time : Mon Mar 29 15:19:13 2004
time elapsed since last password change (days) : 406
account status : password never expires

user : Ãîñòü
privileges : User
comment : Âñòðîåííàÿ ó÷åòíàÿ çàïèñü äëÿ äîñòóïà ãîñòåé ê êîìïüþòåðó/äîìåíó
logins : 0
account status : disabled, login without password allowed

user : krbtgt
privileges : User
comment : Ó÷åòíàÿ çàïèñü ñëóæáû KDC
logins : 0
time elapsed since last password change (days) : 406
account status : disabled

user : damned
privileges : Administrator
full name : damned
logins : 1004
last connection time : Fri Jan 30 15:06:16 2004
time elapsed since last password change (days) : 61
account status : password never expires

user : cyber
privileges : Administrator
full name : cyber_fire
logins : 2
last connection time : Mon Feb 02 16:17:21 2004
time elapsed since last password change (days) : 406
account status : password never expires

user : ldestroy
privileges : Administrator
full name : ldestroy
logins : 2
last connection time : Thu Feb 12 15:48:58 2004
time elapsed since last password change (days) : 406
account status : password never expires

user : demon
privileges : Administrator
full name : demon
logins : 19
last connection time : Mon Mar 15 19:43:51 2004
time elapsed since last password change (days) : 287
account status : password never expires

user : oberon
privileges : User
full name : oberon
logins : 0
time elapsed since last password change (days) : 406

user : Kireev
privileges : User
full name : ekireev
logins : 895
last connection time : Mon Mar 29 15:52:55 2004
time elapsed since last password change (days) : 406
account status : password never expires

user : TsInternetUser
privileges : User
full name : TsInternetUser
comment : Ýòà ó÷åòíàÿ çàïèñü èñïîëüçóåòñÿ ñëóæáàìè òåðìèíàëîâ.
logins : 0
time elapsed since last password change (days) : 383
account status : login without password allowed

user : cyberdemon
privileges : Administrator
full name : cyberdemon
logins : 1
last connection time : Wed Mar 19 15:52:49 2003
time elapsed since last password change (days) : 375
account status : password never expires

user : Spi
privileges : User
full name : Spi
logins : 8
last connection time : Wed Mar 10 18:42:44 2004
time elapsed since last password change (days) : 356
account status : password never expires

user : IUSR_SERVER
privileges : User
full name : Ãîñòåâàÿ ó÷åòíàÿ çàïèñü Èíòåðíåòà
comment : Âñòðîåííàÿ çàïèñü äëÿ àíîíèìíîãî äîñòóïà ê IIS
logins : 0
last connection time : Mon Sep 22 20:03:20 2003
time elapsed since last password change (days) : 355
account status : login without password allowed

user : IWAM_SERVER
privileges : User
full name : Ó÷åòíàÿ çàïèñü äëÿ çàïóñêà IIS
comment : Âñòðîåííàÿ ó÷åòíàÿ çàïèñü äëÿ çàïóñêà ñåðâåðíûõ ïðèëîæåíèé IIS
logins : 29
last connection time : Thu Sep 18 17:13:50 2003
time elapsed since last password change (days) : 355
account status : login without password allowed

user : SQLDebugger
privileges : User
full name : SQLDebugger
comment : This user account is used by the Visual Studio .NET Debugger
logins : 0
time elapsed since last password change (days) : 279
account status : password never expires

user : Nadezhda
privileges : User
full name : Nadezhda
logins : 422
last connection time : Mon Mar 29 10:37:33 2004
time elapsed since last password change (days) : 194
account status : password never expires

user : Spir
privileges : Guest
full name : Spir
logins : 12
last connection time : Thu Dec 11 10:08:21 2003
time elapsed since last password change (days) : 111
account status : password never expires

user : NetShowServices
privileges : Administrator
full name : Ýòà ó÷åòíàÿ çàïèñü ïîçâîëÿåò èñïîëüçîâàòü ñëóæáû Windows Media
comment : Ýòà ó÷åòíàÿ çàïèñü ïîçâîëÿåò èñïîëüçîâàòü ñëóæáû Windows Media
logins : 10
last connection time : Mon Mar 22 10:35:26 2004
time elapsed since last password change (days) : 18
account status : password never expires

Description

The list of active sessions:

host : 192.168.0.113
user : SPI03$
connection duration : 72:57:29

host : LDESTROY
user : LDESTROY
connection duration : 01:54:21

host : XXX
user : DEMON
connection duration : 00:53:40

host : 192.168.0.10
user :
connection duration : 00:00:00


Such list allows to find the most vulnerable host connected to server in order to attack it first and then to get priveleges on server.

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

VIrtual memory page file should be cleared on each shutdown as it may contain confidential information

Solution

Set registry key
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
ClearPageFileAtShutdown to 1

Links

http://www.microsoft.com/

Description

Week encryption of passwords.

Solution

Change/create the next registry key:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Control\Lsa
LMCompatibilityLevel = 2

Description

Host MAC-address: 00-02-B3-8E-BB-36

Description

Computer name : SERVER
Domain : POSITIVE

Description

The list of user grops:


Local groups of users :

group : Àäìèíèñòðàòîðû
comment : Àäìèíèñòðàòîðû èìåþò ïîëíûå, íè÷åì íåîãðàíè÷åííûå ïðàâà äîñòóïà ê êîìïüþòåðó èëè äîìåíó

group : Ïîëüçîâàòåëè
comment : Ïîëüçîâàòåëè íå èìåþò ïðàâ íà èçìåíåíèå ïàðàìåòðîâ ñèñòåìû. Îíè íå ìîãóò çàïóñêàòü ìíîãèå íåñåðòèôèöèðîâàííûå ïðèëîæåíèÿ.

group : Ãîñòè
comment : Ãîñòè ïî óìîë÷àíèþ èìåþò òå æå ïðàâà, ÷òî è ïîëüçîâàòåëè, çà èñêëþ÷åíèåì ó÷åòíîé çàïèñè "Ãîñòü", åùå áîëåå îãðàíè÷åííîé â ïðàâàõ.

group : Îïåðàòîðû àðõèâà
comment : Îïåðàòîðû àðõèâà ìîãóò ïåðåêðûâàòü îãðàíè÷åíèÿ äîñòóïà òîëüêî â öåëÿõ êîïèðîâàíèÿ è âîññòàíîâëåíèÿ ôàéëîâ.

group : Ðåïëèêàòîð
comment : Ïîääåðæêà ðåïëèêàöèè ôàéëîâ â äîìåíå

group : Îïåðàòîðû ñåðâåðà
comment : ×ëåíû ãðóïïû èìåþò ïðàâà íà àäìèíèñòðèðîâàíèå ñåðâåðîâ äîìåíà

group : Îïåðàòîðû ó÷åòà
comment : ×ëåíû ãðóïïû èìåþò ïðàâà íà àäìèíèñòðèðîâàíèå ó÷åòíûõ çàïèñåé ïîëüçîâàòåëåé è ãðóïï

group : Îïåðàòîðû ïå÷àòè
comment : ×ëåíû ãðóïïû èìåþò ïðàâà íà àäìèíèñòðèðîâàíèå ïðèíòåðîâ äîìåíà

group : Ïðåä-Windows 2000 äîñòóï
comment : Ãðóïïà äëÿ ïîääåðæêè ïðåæíèõ âåðñèé, ðàçðåøàþùàÿ äîñòóï íà ÷òåíèå äëÿ âñåõ ïîëüçîâàòåëåé è ãðóïï â ýòîì äîìåíå

group : Ñåðâåðû RAS è IAS
comment : Ñåðâåðû â ýòîé ãðóïïå ìîãóò ïîëó÷àòü äîñòóï ê ñâîéñòâàì óäàëåííîãî äîñòóïà ïîëüçîâàòåëåé

group : Ïîëüçîâàòåëè WINS
comment : Ó÷àñòíèêè, êîòîðûå èìåþò äîñòóï ê ñëóæáå WINS "òîëüêî ïðîñìîòð"

group : DnsAdmins
comment : Ãðóïïà àäìèíèñòðàòîðîâ DNS

group : NetOpActivity
comment : NetOp Activity

group : ORA_DBA
comment : Members can connect to the Oracle database as a DBA without a password

group : NetShow Administrators
comment : ×ëåíû ìîãóò ïðîâîäèòü ïîëíîå àäìèíèñòðèðîâàíèå ñëóæá Windows Media


Global groups of users :

group : _Web Anonymous Users
comment : guests of web service

group : _Web Applications
comment : web applications run as these users

group : DnsUpdateProxy
comment : DNS-êëèåíòû, êîòîðûì ðàçðåøåíî âûïîëíÿòü äèíàìè÷åñêîå îáíîâëåíèå ïî çàïðîñó äðóãèõ êëèåíòîâ (íàïðèìåð, DHCP-ñåðâåðîâ).

group : Àäìèíèñòðàòîðû äîìåíà
comment : Íàçíà÷åííûå àäìèíèñòðàòîðû äîìåíà

group : Àäìèíèñòðàòîðû ïðåäïðèÿòèÿ
comment : Íàçíà÷åííûå àäìèíèñòðàòîðû ïðåäïðèÿòèÿ

group : Àäìèíèñòðàòîðû ñõåìû
comment : Íàçíà÷åííûå àäìèíèñòðàòîðû ñõåìû

group : Âëàäåëüöû-ñîçäàòåëè ãðóïïîâîé ïîëèòèêè
comment : ×ëåíû ýòîé ãðóïïû ìîãóò èçìåíÿòü ãðóïïîâóþ ïîëèòèêó äëÿ äîìåíà

group : Ãîñòè äîìåíà
comment : Âñå ãîñòè äîìåíà

group : Èçäàòåëè ñåðòèôèêàòîâ
comment : Àãåíòû îáíîâëåíèÿ è ñåðòèôèêàöèè ïðåäïðèÿòèÿ

group : Êîìïüþòåðû äîìåíà
comment : Âñå ðàáî÷èå ñòàíöèè è ñåðâåðû ïðèñîåäèíèëèñü ê äîìåíó

group : Êîíòðîëëåðû äîìåíà
comment : Âñå êîíòðîëëåðû äîìåíà íàõîäÿòñÿ â äîìåíå

group : Ïîëüçîâàòåëè äîìåíà
comment : Âñå ïîëüçîâàòåëè äîìåíà

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

The list of transport protocols used by the host :

device (protocol) : \Device\NetBT_Tcpip_{E5155542-4BBD-4B63-B6C1-B1E7D1243195}
server name : SERVER
network address : 0002b38ebb36
the number of connected users : 2
domain : POSITIVE

device (protocol) : \Device\NetBT_Tcpip_{E5155542-4BBD-4B63-B6C1-B1E7D1243195}
server name : SERVER
network address : 0002b38ebb36
the number of connected users : 0
domain : POSITIVE

device (protocol) : \Device\NetbiosSmb
server name : SERVER
network address : 000000000000
the number of connected users : 0
domain : POSITIVE

device (protocol) : \Device\NetbiosSmb
server name : SERVER
network address : 000000000000
the number of connected users : 2
domain : POSITIVE

Solution

Deny NULL session access (see NULL session vulnerability) and/or turn off "Guest" login on server.

Description

A null session is a NetBIOS connection made to a server by an anonymous client. Since the connection is anonymous, the client's identification field is null (hence the name) and the session is unauthenticated. As a system administrator, you should consider all information which can be obtained via a null session to be essentially public information, whether you intended this or not. Furthermore any functions which can be performed remotely via a null session may be executed by anyone, from anywhere, and you won't be able to determine who did it. Therefore it is recommended that you restrict null session access to the minimum level necessary to meet your needs.


This vulnerability report is true just if scan was performed under account with administrative rights for the host.

Solution

Windows:

1. Add the value RestrictAnonymous = 2 (Windows 2000/XP/2003) or RestrictAnonymous = 1 (Windows NT3.5/NT4.0), to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA (value type: REG_DWORD)

2. Add the value RestrictNullSessionAccess = 1, to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver (value type: REG_DWORD)

3. Reboot system to apply changes.

Samba:

Enable server access for registered users only.
Change security= share to security= user (or security = server or security = domain ) in smb.conf file.

Links

http://support.microsoft.com/support/kb/articles/q143/4/74.asp

Description

Version of Windows is Windows 2000 Server ( Service Pack 4 )

Hotfixes installed:

KB329115
KB823182
KB823559
KB824105
KB824141
KB824146
KB825119
KB826232
KB828035
KB828749
Q147222
Q295688
Q828026
Q318202
Q328797
Q823718
Q832483

Description

Version of MSSQL is 8.00.194

Description

Version of IIS is 5.0

Description

Version of Internet Explorer is 6.0.2600.0000

Description

MDAC version: 2.71.9030.9

Description

Host is domain controller (Active Directory).

Description

Disable Scheduler service if it is not necessary. This service is often used by attackers to run harmful code.

Solution

Set the next registry key to disable service:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Schedule
Start = 4

Description

Autorun feature for CD ROM is enabled. This feature may be used by attakers to run harmful code.

Solution

Set the next registry key to disable service:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\CDRom
Autorun = 0

Description

LanManager: Windows 2000 LAN Manager
OS: Windows 5.0

Description

Using NULL BASE request without authorization it is possible to acquire sensible information:

0 a 0 T d K 0 C0 & currentTime1 20040329120859.0Z0 U subschemaSubentry1 < :CN=Aggregate,CN=Schema,CN=Configuration,DC=positive,DC=int0 dsServiceName1 o mCN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=positive,DC=int0 namingContexts1 h -CN=Schema,CN=Configuration,DC=positive,DC=int #CN=Configuration,DC=positive,DC=int DC=positive,DC=int0 0 defaultNamingContext1 DC=positive,DC=int0 J schemaNamingContext1 / -CN=Schema,CN=Configuration,DC=positive,DC=int0 G configurationNamingContext1 % #CN=Configuration,DC=positive,DC=int0 3 rootDomainNamingContext1 DC=positive,DC=int0 supportedControl1 1.2.840.113556.1.4.319 1.2.840.113556.1.4.801 1.2.840.113556.1.4.473 1.2.840.113556.1.4.528 1.2.840.113556.1.4.417 1.2.840.113556.1.4.619 1.2.840.113556.1.4.841 1.2.840.113556.1.4.529 1.2.840.113556.1.4.805 1.2.840.113556.1.4.521 1.2.840.113556.1.4.970 1.2.840.113556.1.4.1338 1.2.840.113556.1.4.474 1.2.840.113556.1.4.1339 1.2.840.113556.1.4.1340 1.2.840.113556.1.4.14130 " supportedLDAPVersion1 3 20 supportedLDAPPolicies1 MaxPoolThreads MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxActiveQueries MaxPageSize MaxQueryDuration MaxTempTableSize MaxResultSetSize MaxNotificationPerConn0 " highestCommittedUSN1 722830 3 supportedSASLMechanisms1 GSSAPI GSS-SPNEGO0 ( dnsHostName1 server.positive.int0 : ldapServiceName1 # !positive.int:server$@POSITIVE.INT0 p serverName1 ^ \CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=positive,DC=int0 N supportedCapabilities1 1 1.2.840.113556.1.4.800 1.2.840.113556.1.4.17910 isSynchronized1 TRUE0 " isGlobalCatalogReady1 TRUE0 e

Solution

Disable NULL BASE request.

Description

DCOM service started (Distributed Component Object Model).

Solution

Disable DCOM if it not needed

Description

Disable Scheduler service if it is not necessary. This service is often used by attackers to run harmful code.

Solution

Set the next registry key to disable service:
HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\Schedule
Start = 4

Description

User 'sa' has password 'assa'. Using this password any user can gain full access to databases. If xp_cmdshell extended procedure is available full controll of the server can be got.

Solution

Set more complex password for user 'sa'.

Description

NetBIOS name : SERVER
service name : MSSQLSERVER
server version : 8.00.194
TCP port : 1433
pipe : \\SERVER\pipe\sql\query

Solution

Close access to port 1434/udp

Description

A vulnerability exists because of the way that Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. The service must be restarted to regain its functionality.

Solution

Install update:
http://www.microsoft.com/technet/security/bulletin/ms04-008.mspx

Description

Remote control service is started.

Description

Remote control service is started.