Security Basics mailing list archives

RE: About default sharing folders in Windows

From: "skyfront" <skyfront () wanadoo fr>
Date: Wed, 4 Jun 2003 14:21:15 +0200


If you have no firewalls and NetBIOS was not blocked otherwise,
I belive a hacker may use command like this one to map your drive C:
I Think this is the more complete info on the subject, (there're more
informations that you could search in the archives because this problems had
yet a lot of discussion)



If you have no firewalls and NetBIOS was not blocked otherwise,
I belive a hacker may use command like this one to map your drive C:
as a local M:
as a local M:

net use M: \\your_computer\C$ password /USER:your_login

Of cause he will need to guess your password in order to perform such
a task. IMHO, on default NT installation guessing a login is not a problem.
Logins may be obtained through NULL-sessions die to IPC$ share opened for
everyone. Since the password was guessed, hacker would have
permissions like a user the account belong to.

To disable default shares, edit registry as follows:

In key HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

Create or edit AutoShareWks or AutoShareServer (for server) value and
set it with REG_DWORD 0


To disable IPC$ share, go to key

HKLM\SYSTEM\CurrentControlSet\Control\LSA

And create or modify REG-DWORD value RestrictAnonymous
You'd better set it to 1. This will not disable null-sessions, but
prevent anonymous users from gathering sensitive information like user
accounts etc. The value 2 is completely disable NULL, but it may cause
problems in connections with none-Microsoft software and older MS
versions (FYI see Q246261).

Hope this helps.

--
Best regards,
 Martchukov Anton aka VH                      mailto:vhlist () yandex ru

-----Message d'origine-----
De : Michelle Mueller [mailto:muellerm () mtmary edu]
Envoyé : mardi 3 juin 2003 17:08
À : Jimi Thompson
Cc : netsecurity.guide () about com; security-basics () securityfocus com
Objet : Re: About default sharing folders in Windows


You can remove administrative shares on a workstation by setting this key:

HKLM\System\
CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
(REG_DWORD) 0

This information comes from http://www.cisecurity.org/  If you install
their security benchmarking tool, a .pdf file is included with all of
the registry key settings needed to secure a workstation.  I imagine you
can get this .pdf is somewhere on the site but I haven't looked for it.
 The benchmarking tool also includes security admin templates for
workstations and group policies.  Use the tool.  If you haven't taken
any steps to secure your computers you'll be shocked at the results.



Jimi Thompson wrote:

<SNIP>

I believe there might be a way in the registry to remove the
administrative shares altogether, but whether there is or isn't you need
to make sure you have strong passwords for the administrator account and
you should assign a strong password to the Guest account even if you
keep the account disabled.


</SNIP>

I strongly suggest renaming the local Administrator and Guest account
to something that is not easily guessed at.  In addition, you should
probably create "dummy" accounts named "Administrator" and "Guest"
that have no rights/no group memberships and are disabled.  Monitor
the dummy accounts closely for log in attempts.

If you machines are going to be exposed to the Internet, you will have
to hack the registry to remove the all the default shares. Technet has
several fine articles on this.





---------------------------------------------------------------------------
----------------------------------------------------------------------------

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 01/06/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 01/06/2003


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: About default sharing folders in Windows Jimi Thompson (Jun 02)
- RE: About default sharing folders in Windows David Gillett (Jun 02)
  - RE: About default sharing folders in Windows dave (Jun 03)
    - RE: About default sharing folders in Windows stephen at unix dot za dot net (Jun 04)
- Re: About default sharing folders in Windows Mark Kockerbeck (Jun 03)
- RE: About default sharing folders in Windows dave (Jun 03)
- RE: About default sharing folders in Windows dschaible (Jun 03)
- Message not available
  - Re[2]: About default sharing folders in Windows vh (Jun 03)
- Re: About default sharing folders in Windows Michelle Mueller (Jun 03)
  - RE: About default sharing folders in Windows skyfront (Jun 04)
- <Possible follow-ups>
- Re: About default sharing folders in Windows Nicholas Diotte (Jun 04)
- RE: About default sharing folders in Windows Paris Stone (Jun 04)
  - Re: About default sharing folders in Windows Roger A. Grimes (Jun 04)
  - RE: About default sharing folders in Windows dave (Jun 04)
    - RE: About default sharing folders in Windows stephen at unix dot za dot net (Jun 05)
- RE: About default sharing folders in Windows Cosentino, Guilherme V. (Jun 04)
- RE: About default sharing folders in Windows Chris Berry (Jun 04)
- RE: About default sharing folders in Windows Paris Stone (Jun 04)
  - RE: About default sharing folders in Windows Raoul Armfield (Jun 05)
- RE: About default sharing folders in Windows Doc Farmer (Jun 05)