Thanks Mike, I don't think this would work on my computer because I had previously disabled all the admin shares. I also tweaked the registry so that shares would not become enabled after reboot. Also, I had MS File and Printer Sharing turned off, so my computer wasn't visible in "Network Neighborhood" or "My Network Places". Thanks for the link, I read through it. Near the bottom, it says: "To disable anonymous connections altogether, block access to tcp139/445 (IPSec port filters or Internet Connection Firewall), or uncheck "File and Print Sharing for Microsoft Networks" from the network interface in question (via the properties tab of the network connection)." I'm unsure as to whether or not ports 139/445 are blocked but I'll find out today. If they are enabled, I'll block them. Thanks On Sun, 2002-10-06 at 15:45, Midkaemia wrote: > > Another possibility is that they have exploited the default "null sessions" > vulnerability of a netbios enabled windows machine. They don't have to be a > domain user, they just connect as follows.. > > net use * \\<target>\<any admin share> /user:"" "" > > admin shares can be... > ipc$ > c$ > <any other drive>$ > admin$ > > They can also connect to any public share with no security set. > > This way they connect with a blank username and a blank password. A single > registry key fixes some of the associated problems. See the following link > for a discussion of some of the nitty gritty. > > http://cert.uni-stuttgart.de/archive/focus-ms/2002/03/msg00088.html > > Cheers > > Mike -- "The Computer made me do it." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 18:36:17 PDT