[10866] in bugtraq
Re: Microsoft Peer Web Services vulnerability
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Jun 21 13:14:56 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19990619101141.03717200@mail.mindspring.com>
Date: Sat, 19 Jun 1999 10:11:41 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Colette.Chamberland@MAIL.STATE.KY.US
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <910433C0D10AD211BF1F0008C7F4D3CE023F65E8@agency6.state.ky. us>
At 02:35 PM 6/17/99 -0400, Colette.Chamberland@MAIL.STATE.KY.US wrote:
>The user will then be prompted for a UserID and password and if successful
>authentication takes place they are given access to sensitive server
>information. It provides an attacker with a means to brute
>force / guess the Administrators password and if successful an enormous
>amount of reconnaissance work can be achieved through the application's use.
I think you'll find that in general, someone running PWS will also not have
any port filtering in place and that the NetBIOS ports are available -
we're talking about someone's workstation, so this won't usually be the
only means to go guessing the admin password. The important thing is to
make sure that you've chosen a strong password.
I'd have to check into it, but I think that the web-based administration
can be disabled entirely - a MMC-based admin tool can be used instead. I
don't recommend changing the admin user's name in any case where the
NetBIOS ports are open, because the administrator's name can always be
determined. However, if the NetBIOS ports are not available, then renaming
that account can provide an extra level of obfuscation.
It is equally important to be sure that any application which allows
administration of the web site (such as Front Page) has been set up properly.
David LeBlanc
dleblanc@mindspring.com
