At 12:45 PM 11/17/98 -0800, Security Research Labs wrote: >If the SNMP Service is reconfigured with a more secure community name, >the system is still vulnerable to attack from users with an account on >the system. The SNMP Service parameters are stored in the registry >and are readable by all users. A user with an account on the system >can read the list of configured community names and use the community >name to access the SNMP Service. With write access to the SNMP >community, a user can perform actions that are usually restricted to >users with privileged access. Something that is important to note here is that on default installs of both NT Server and Workstation, remote access to this portion of the registry is restricted to administrators. By default, local access to the registry of a server will be restricted to privileged users, so it is false that the community strings can be obtained by any user with an account on the system. That statement is only true regarding local access to a workstation. Note that I have recommended for well over a year that people set the access controls to this registry key to admins:F, system:F. For details on how to do this, please refer to the help system of the ISS scanner - any version since 4.3 will contain this check and instructions. >Remote individuals with network access to a machine running the Windows >NT SNMP Service can query and set any of the system management >variables that are supported. Information that can be queried includes: > > - the LAN Manager domain name > - a list of users > - a list of shares > - a list of running services As documented in the ISS scanner help system (any version since 5.0), you may disable just this portion of the SNMP mibs by: Open the HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents key, locate the value which contains SOFTWARE\Microsoft\LANManagerMIB2Agent\CurrentVersion' and remove it. If your network managment practices do not require this information (which is freely available via more secure mechanisms), it is best to disable the LM extensions to the SNMP service. It may be worthwhile to examine all of the extension agents, and only enable those which are required. >By setting variables, an attacker can modify the IP routing table >and the ARP table. An attacker can also bring interfaces up and down >and set critical networking parameters such as the default IP >time-to-live (TTL) and IP forwarding. These settings allow an attacker >to redirect network traffic, impersonate other machines or deny the >machine access to the network. Given that a typical local user who is allowed to read the community strings from the registry can unplug the network cable, this won't be an issue on most workstations with respect to the console user(s). It may be of more concern on a terminal server. This leaves the typical insecurities associated with SNMP, which affect any device running that protocol. >On NT 5.0, the permissions on this key will be set securely by >default. This isn't true, but NT 5.0 is beta software and very well could change before release. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:44 PDT