Check Document 239739, this was modified in version 8.6 http://seer.support.veritas.com/docs/239739.htm <Snip> Support for the "Restrict Anonymous" option was added to Backup Exec version 8.6. NOTE: Versions of Backup Exec prior to 8.6, do not support enabling "Restrict Anonymous" <end Snip> Regards, Gino -----Original Message----- From: Geoff Craig [mailto:GCraigat_private] Sent: Friday, September 06, 2002 4:19 PM To: bugtraqat_private Subject: Veritas Backup Exec opens networks for NetBIOS based attacks? Veritas Backup Exec opens networks for NetBIOS based attacks? By: Geoff Craig, Adrian Romo Company: Quilogy http://www.quilogy.com Currently, we are working with a customer that has moved to Active Directory and is using Backup Exec 8.5 to backup all servers and domain controllers from a centralized backup server. We do not feel that this is an uncommon backup implementation. During a security audit, it was determined that the RestrictAnonymous registry value on the customer's domain controllers and Exchange 2000 server was set to 0 (allowing anonymous enumeration of the SAM database and shares). This was determined to be an unacceptable security risk, and the domain controller security policy along with the local security policy on the Exchange 2000 server was changed so that the RestrictAnonymous value was 1. After setting RestrictAnonymous to 1, Backup Exec started reporting errors such as "Unable to attach to \\mydc\System?State. The device cannot be found". A similar error was reported on the Exchange 2000 server as well. After a quick search of the Veritas knowledgebase the following articles were found: http://seer.support.veritas.com/docs/239059.htm http://seer.support.veritas.com/docs/239391.htm These articles reveal that in order for Backup Exec versions 8.5 and 8.6 to remotely backup Active Directory or Exchange 2000 databases that the RestrictAnonymous setting MUST be set to 0. One may assume that for some reason Backup Exec requires an anonymous session in order to backup ESE databases, (both Exchange 2000 and Active Directory are ESE databases) but Veritas does not explain why this is required. Here is a quote from Veritas article 239059 when discussing setting RestrictAnonymous equal to a value other than 0. "This (setting RestrictAnonymous not equal to 0) could cause undesired behavior because many Windows 2000 services, as well as third-party programs, such as Backup Exec, rely on anonymous access capabilities to perform legitimate tasks. Because of this, it is important to weigh the benefits of restricting the capabilities of anonymous users from a security perspective against the requirements of services and programs that rely on anonymous access for complete functionality." Veritas apparently understands that their software requires lax security in order to function correctly. It is our opinion that this requirement should cause Backup Exec users to reconsider their use of this product. If this software must be used, then a less than ideal workaround may be to backup these ESE databases to a file in a shared location using the backup package built into Windows 2000 and then backup the file from a centralized backup point. Nevertheless, users of Backup Exec need to confront Veritas and ask why their product requires an insecure configuration of the operating system in order to function.
This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 15:03:26 PDT