At 02:35 PM 6/17/99 -0400, Colette.Chamberlandat_private wrote: >The user will then be prompted for a UserID and password and if successful >authentication takes place they are given access to sensitive server >information. It provides an attacker with a means to brute >force / guess the Administrators password and if successful an enormous >amount of reconnaissance work can be achieved through the application's use. I think you'll find that in general, someone running PWS will also not have any port filtering in place and that the NetBIOS ports are available - we're talking about someone's workstation, so this won't usually be the only means to go guessing the admin password. The important thing is to make sure that you've chosen a strong password. I'd have to check into it, but I think that the web-based administration can be disabled entirely - a MMC-based admin tool can be used instead. I don't recommend changing the admin user's name in any case where the NetBIOS ports are open, because the administrator's name can always be determined. However, if the NetBIOS ports are not available, then renaming that account can provide an extra level of obfuscation. It is equally important to be sure that any application which allows administration of the web site (such as Front Page) has been set up properly. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:05 PDT