[55] in Security FYI
Windows NT vulnerabilities with blank passwords and file sharing
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Mon Jun 12 15:21:41 2000
From: mhpower@MIT.EDU
Message-ID: <20000612192138.7931.qmail@customer-care.infrastructure.org>
Date: Mon, 12 Jun 2000 15:21:38 -0400
To: security-fyi@mit.edu
Reply-To: net-security@MIT.EDU
-----BEGIN PGP SIGNED MESSAGE-----
As many of you noticed earlier this month, the SANS Institute
published a "List of The Top Ten Internet Security Threats", e.g., see
http://www.sans.org/topten.htm
http://news.cnet.com/news/0-1003-200-2000069.html
On this list, entry 7 is "Global file sharing and inappropriate
information sharing via NetBIOS". The IS Network Security team has
determined that this issue is currently of great relevance at MIT,
with some critical MIT resources at risk of immediate compromise.
There are also MIT computers known to be compromised through this
vulnerability within the past few weeks, and it's expected that
intruders can identify additional vulnerable computers via rapid
automated methods. The important MIT systems that we've already found
to be affected by this problem are all Windows NT machines, but the
problem can affect Unix (if Samba is installed) and Windows 9x.
Here are some of the specific items to check for on each Windows NT
machine in your area:
-- the machine needs to have a well-chosen Administrator password.
Many Windows NT machines at MIT have no Administrator password
set, and have the default administrative shares. Typically, this
means that anyone on the Internet can read and alter everything
stored on the machine's disks, by way of a NetBIOS session with
the login name Administrator and a blank password.
-- names associated with your users and work projects should not be
used as passwords, and should not be the login names of accounts
that have a blank password. These names can often be found via
remote anonymous NetBIOS queries. There are programs used by
intruders that will automatically try all of these as login names
and passwords, and currently this will result in successful
access to many MIT machines.
-- when setting up file sharing, be sure that all public read access
is consistent with MIT's "Policy on the Use of Information
Technology" (http://web.mit.edu/policies/13.2.html). Currently,
some MIT machines have personal information about students and
employees accessible via Windows file sharing. Also, some MIT
machines have sharing set up to allow public write access to
important data, allowing deletion or alteration by intruders.
General guidelines (not NT-specific) for choosing passwords can be
found at http://web.mit.edu/net-security/www/pw.html -- also, for NT,
http://support.microsoft.com/support/kb/articles/Q161/9/90.ASP
indicates how to require use of strong passwords. Blank passwords
should not be used for accounts that can obtain any type of remote
access to machines or their shared filesystems.
Since this message will not reach all relevant persons at MIT, the
Network Security team will be running vulnerability checks on all
mit.edu hosts to try to locate the ones that still have these NetBIOS
security problems (some of these checks have been done already as part
of assessing the scope of the problem). The web page
http://web.mit.edu/net-security/www/faq.html#legitimate-probes has a
few additional details about this type of vulnerability scanning.
Matt Power
Network Security team, MIT Information Systems
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOUU2jqXcG113/1BtAQHlWwP+K++yewH+poYNWXZbuqMGOkuzgUe9Rs5R
JwDnt/tL3tv1gz31erLd1Pd+QjakC41oYY9sUc+j1v/FUxcSwTHl5aFCTKNwRoZ/
vOTIOc+AIqShLxoF6wJqI0PME3guJAr3rW5TBrPVInLDcOAdkjoksIm4faijHUK5
zBlT32RgQPE=
=tNKd
-----END PGP SIGNATURE-----
