strange messenger service behavior
Results 1 to 4 of 4

Thread: strange messenger service behavior

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    strange messenger service behavior

    Ok, this seems counter-intuitive, but it is M$ afterall.

    I was LANGuarding a W2K Pro box and turning off services to observe the behavior (with a goal of reducing the "footprint" without breaking anything). A scan with messenger service running reveals two messenger NETBIOS names (computername and username), standard so far... So, I stop the messenger service and rescan. Sure enough, the NETBIOS names go away, but now LANGuard comes back with domain (workgroup) information AND is able to enumerate ALL the groups!

    I stop one service to close up an information leak and cause another. What's the deal with "messenger"? Or is it the wray LANGuard enumerates (if it can't get something one way, it tries another...)?

    Insight? Anyone?

    Tks,
    Myk

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I don't really know LanGuard but it probably uses a null session to enumerate the users and groups. It should be able to do this regardless of the messenger service running or not.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Ok, I haven't been able to duplicate this on any other machine. (I should have tested it before posting).

    If I could yank this thread, I would -- until I do more testing.

    Strange, though...

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    SIrDice is correct, the scanner is making a null connection to enumerate info.

    Things to do:

    1) Set the restrict anonymous reg key to 2, or use the local security administrator MMC snap-in to change it.
    2) Kill all default shares $IPC, $ADMIN and $C (can be done perminantly in the registry).
    3) Disable netbios over TCP by stopping it in tcp/ip settings or stop the "server" service
    4) Obviously, disable computer browser service and netbios helper.

    Try your scan now and see what ya get. I bet it will be a hell of a lot better

    or,

    if you wanna be REALLY slick, go to the Center for Internet Security site and grab some of their security templates and apply them to fit your needs. They have some crazy templates that are NSA approved.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •