user list

G

gazebo

Is it possible that some external parties retrieve the
user list through the internet? If so, how to avoid it?

It seems that my server's user list has been retrieved by
some unknown parties and every night there are repeated
logon attempts every few secs using the local user lists.
(failed so far)
 
S

Steven L Umbach

Easily done via a null session if you have file and print sharing enabled on
your network adapter connected to the internet and you do not have a
firewall or it is improperly configured. Go to http://scan.sygatetech.com/
for a basic vulnerability scan and see if sirens go off about netbios ports
being open to the world. There are free personal firewalls available for
personal use. A firewall is only one component in securing a network
however. --- Steve

http://www.webattack.com/Freeware/security/fwfirewall.shtml
http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#harden --- From the FAQ.
 
G

gazebo

I tried to disable netbios over TCPIP on DNS and exchange
server. It turned out that DNS cannot be started. And
exchange server reported some services not started as well.

Is it the case?
 
S

Steven L Umbach

Where did you disable nebios over tcp/ip? - do not disable the tcp/ip
netbios helper service as problems will occurr. Nebios should be disabled in
network adapter properties\/tcp/ip\advanced\wins. Did you try just
disabling file and print sharing? --- Steve
 
S

Steven Umbach

I have never tried disabling netbios over tcp/ip that way. Their reference to
disabling netbios over tcp/ip in wins is correct - you also need to disable file
and print sharing on that nic to stop smb over port 445 as they state. I just
wanted to make sure that you did not disable the tcp/ip netbios helper service
as it will cause problems like dns malfunctioning. I don't know much about
Exchange, which may be complicating your ability to harden the server. You may
want to post those issues at an Exchange newsgroup. I think your best bet is to
use a firewall that blocks all inbound ports by default, and then you open only
those ports needed for access. --- Steve
 
G

gazebo

Thanks Steve, I did remove the file and print and netbios
over tcpip. Can I disable those built in iis accounts?
I am still receiving anonymous access (success) regularly.
Who are they? I have already restricted anonymous access
as described in the ms doc.
 
S

Steven L Umbach

If you are allowing anonymous access to your IIS sites via those accounts then you
need those accounts, otherwise you can disable them. I am not a IIS guru so you may
want to post your IIS security questions in the
Microsoft.public.inetserver.iis.security newsgroup where there are some very helpful
and knowledgeable people. --- Steve
 
G

gazebo

thanks, Steve

Gazebo
-----Original Message-----
If you are allowing anonymous access to your IIS sites via those accounts then you
need those accounts, otherwise you can disable them. I am not a IIS guru so you may
want to post your IIS security questions in the
Microsoft.public.inetserver.iis.security newsgroup where there are some very helpful
and knowledgeable people. --- Steve




.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Apparent NetBIOS Attack - How Dangerous? 12
Maximum Logon Attempts 1
Automatically update Outlook 2007 contact lists 2
Can a GINA STUB fulfil my requirement? 0
access sharepoint list 2
Help, strange failed login attempt 1
OnePlus January 19 Credit Card Security Update: up to 40k customers may be affected 2
All Domain Admin Accounts Locked 2

Top