Ben Nagy wrote:
>
> Okay, I'm prepared to look stupid.
>
> Why would the layout require an exposed NBT server?
No idea, it is not my network. ;)
The original post states that the system is "external". This could be
just outside of the firewall or on some remote network where you have no
control over security. In either event it should be considered an
"untrusted" system. IF the system is remote, you have no idea what the
Admin on the other end has done to secure the system.
For example, take a look at:
http://www.geek-speak.net/products/ntaudit1.html
and pay particular attention to NT OBJECTives' "hunt.exe" utility. Even
if the remote Admin is diligent with patches and hotfixes, an anonymous
user can enumerate all logon names for that system unless the Admin has
made the correct registry hacks as well (something I would say most
Admins _do not_ do based on the audits I've performed). True we are
talking about a remote system, but I would bet $$$ that the description
for that user will identify where the account originates from. This
gives me target to go back after the original network.
> I mean it's crappy in terms of man-in-the-middle, but that's suspicious's
> problem, not ours. It's our passwords for _their_ network that are on the
> wire. Unless we're using the internal usernames and passwords, which is
> potentially bad. And M-I-M could be low risk if they own the wire in
> between.
You bring up a good point, just what happens if the user tries to use a
different logon name and password to this remote system? From my
experience, NT will force the user to re-authenticate every time they
want to map a drive. Since we are talking regular users, not an Admin
who is concerned with security, it's only a matter of time before they
decide its "easier" to simply use the same password.
To see why this is a "bad thing", grab a copy of L0pht Crack. ;)
>From my personal experience, NetBIOS over IP shares too much in common
with the Unix "R commands" to ever want to pass it over an untrusted
wire.
> I'm not sure it's how _I'd_ do it, but I can't see how it's as drastic as
> having people able to connect to NB ports on your local network.
Obviously I'm not going to post a "how-to" on cracking this setup to the
list. If you are running the above setup however, the above should give
you some pointers on locking down the config. ;)
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
