From:	SMTP%"jacob@esisys.com" 27-SEP-1996 19:11:59.14
To:	EVERHART
CC:	
Subj:	BoS:      Re: NT security et al (Dangers of NetBIOS/NBT?)

Resent-Date: Sat, 28 Sep 1996 08:49:16 +1000
Approved-By: ALEPH1@UNDERGROUND.ORG
X-Sender: jacob@esisys.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: <Windows Eudora Version 2.0.2>
Approved-By:  Jacob Langseth <jacob@ESISYS.COM>
Message-ID: <199609271918.PAA09183@gateway.esisys.com>
Date: 	Fri, 27 Sep 1996 16:18:31 -0400
Reply-To: Jacob Langseth <jacob@esisys.com>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jacob Langseth <jacob@esisys.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Approved: proff@suburbia.net
Resent-Message-ID: <"odrlM2.0.pi1.hd5Jo"@suburbia>
Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/421
X-Loop: best-of-security@suburbia.net
Precedence: list
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS:      Re: NT security et al (Dangers of NetBIOS/NBT?)

>o       Windows 3.11 has share bugs microsoft will never apparently fix,
>        whereby any share allows the whole disk to be accessed by using
>        a ../../.. type construct and the smbfs client code.

Well, there is actually a fix available for Windows 3.11.  Take a look at
        <http://www.microsoft.com/kb/peropsys/windows/q136418.htm>

While we're on the subject of NT network pet peeves (aka NetBios gotchas),
here's some more:
    ppl can view full process lists from remote (via pview's connect feature)
        (pview.exe is included w/ MSVC++).
    ppl can read portions of the registry remotely (via regedt32.exe).
        This can be REALLY BAD for NT workstations configured to use
        auto-logon, as people usually forget to remove read permission
        from the WinLogon entry (which keeps the auto-logon password
        stored in cleartext).
    ppl can read Application and Event logs remotely (w/ eventvwr.exe)

Is it just me, or is the entire principle of releasing this kind of information
(logs, processes, registry info), w/o explicit permission from the
administrator,
completely flawed?  Anyone know how to disable these 'features'?

JwL
--
Jacob Langseth                          -=-finger for PGP key-=-
Enhanced Systems, Inc.                  email:  jacob@esisys.com
6961 PeachTree Ind Blvd                 voice:  (770) 662-1504 ext. 684
Norcross, GA  30092                     fax:    (770) 662-1537