August 7th, 2003, 06:29 PM
strange messenger service behavior
Ok, this seems counter-intuitive, but it is M$ afterall.
I was LANGuarding a W2K Pro box and turning off services to observe the behavior (with a goal of reducing the "footprint" without breaking anything). A scan with messenger service running reveals two messenger NETBIOS names (computername and username), standard so far... So, I stop the messenger service and rescan. Sure enough, the NETBIOS names go away, but now LANGuard comes back with domain (workgroup) information AND is able to enumerate ALL the groups!
I stop one service to close up an information leak and cause another. What's the deal with "messenger"? Or is it the wray LANGuard enumerates (if it can't get something one way, it tries another...)?
August 8th, 2003, 12:54 PM
I don't really know LanGuard but it probably uses a null session to enumerate the users and groups. It should be able to do this regardless of the messenger service running or not.
Experience is something you don't get until just after you need it.
August 8th, 2003, 06:15 PM
Ok, I haven't been able to duplicate this on any other machine. (I should have tested it before posting).
If I could yank this thread, I would -- until I do more testing.
August 8th, 2003, 06:28 PM
SIrDice is correct, the scanner is making a null connection to enumerate info.
Things to do:
1) Set the restrict anonymous reg key to 2, or use the local security administrator MMC snap-in to change it.
2) Kill all default shares $IPC, $ADMIN and $C (can be done perminantly in the registry).
3) Disable netbios over TCP by stopping it in tcp/ip settings or stop the "server" service
4) Obviously, disable computer browser service and netbios helper.
Try your scan now and see what ya get. I bet it will be a hell of a lot better
if you wanna be REALLY slick, go to the Center for Internet Security site and grab some of their security templates and apply them to fit your needs. They have some crazy templates that are NSA approved.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden