re: Re: NT WAN

[MHurlburt () nea org]

I recently had the opportunity to 'evaluate' a certain LAN/WAN configuration 
which consisted of several NT domains participating in various 
transitive/non-transitive trust relationships (MS definition of trust)  via 
the public internet, thus creating the WAN you describe below.  

This was 'allowed' thru the said firewall(s) by allowing TCP/139.  Although no 
'browsing' of Netbios tables can be done over 139 (this requires 137) suffice 
it to say that one can grab a session from the open internet on a box 'inside' 
provided you have a range of IP this can easily be scripted; many persons do 
it daily.  Once you have obtained root equivalent on a system inside it is 
very easy to get installed toolz which let you get root on more (and on other 
domains this box 'trusts' as well.  A friend of mine recently dubbed this a 
'bank shot'  :).

MS makes it very easy (let me rephrase this :  the default NT configuration, 
and lack of administrative corrections to this) makes it very easy to obtain a 
large amount of information on NT services, accounts, etc, via null sessions 
over 139.

 It is my opinion that one would be asking for a severe amount of trouble if 
one were to allow any of the infamous 135-139 MS ports thru one's firewall, 
unless of course your WAN links were in fact private themselves.

-Michael


| At 03:46 PM 7/26/99 -0700, Neil Ratzlaff wrote:
| >I am looking for some strong reasons to refuse to allow 
| an NT WAN through
| >the firewall.
| >
| >There is a department here that wants to set up a wide 
| area network of
| >several NT machines scattered over several states.  All 
| they have said they
| >want is to share files and printing.  One of the local 
| hosts would be
| >behind the firewall, and they wanted to know how to get 
| through the
| >firewall, so I got called in.  I manage the firewall, but 
| I don't do policy
| >of any kind.  I assume they would at least use PPTP, but 
| I read recently
| >that although M$ improved it, it still is not very 
| secure.
| >
| >I have the feeling this is a terrible idea.  They want to 
| have clients go
| >both ways through the firewall, and I assume these 
| clients are Windows 95,
| >98, and NT.  Can anyone point me to places that list or 
| describe the risks
| >in simple English?  Or maybe it is not as dangerous as I 
| think it is, and
| >this would be useful information, too.  I suspect that 
| even if this were
| >all outside the firewall, it would still be a terrible 
| idea, but I don't
| >know enough about NT to be sure, or to provide reasons.
| >
| >Is there some paper somewhere that I can point to that 
| shows why this is a
| >bad idea?   Perhaps vulnerabilities that can't be 
| patched?  I appreciate
| >any help anyone can provide.
| >
| >Neil 
| >
| 
| 


This email, it's files or previous e-mail attached to it, may contain 
confidential information being legally privileged.  Please disregard the 
contents if you are not the intended recepient.


******************************************************************
Only the individual sender is responsible for the content of this
message, and the message does not necessarily reflect the position
or policy of the National Education Association or its affiliates.