NT security vulnerabilities and suggestions for their resolution (II.)

Explanation: SMB has a "backdoor" that has not yet been exposed, and can access other files on Sam and NT servers without authorization. The SMB protocol allows remote access to shared directories, registry databases, and other system services. The exact number of services accessible through the SMB protocol has not been documented. In addition, there is no documented way of controlling access to these services.

Programs written with these vulnerabilities are ubiquitous on the internet. These programs do not require administrator access or interactive access rights. Another vulnerability is that SMB sends an application package using a simple encryption method when authenticating a user. As a result, its file transfer authorization mechanism is easily routed.

A backup copy of the SAM database can be exploited by some tools to crack the password. NT can only reach the level of encrypted RSA when authenticating users. In this case, it is not even necessary to use tools to guess those plaintext passwords. The tools to decode the SAM database and decipher the password are: Pwdump and Ntcrack. Currently, there is no alternative method for using SMB for NT networking.

Recommendations for reducing risk: On the firewall, all TCP and UDP connections from ports 135 through 142 are beneficial to control, including control over security vulnerabilities that are based on RPC work on port 135. The safest approach is to use proxies to restrict or completely deny SMB based connections on the network. However, restricting SMB connectivity can lead to limitations in system functionality. Set ACLs on internal routers, between individual subnets, up to ports 135 through 142.

4. Security Vulnerabilities: Trojan Horses (Trojan Horses) and viruses that may rely on the default to make a Sam backup, get access to the password information in the SAM, or access the update disk of the ERD for the Emergency Repair Disk.

Explanation: Trojan Horses (trojanhorses) and viruses can be performed by any member of the following groups when backing up with default permissions (by default, they include administrator administrators, members of the Administrators group, Backup Operators, Server Operators, And anyone with backup privileges), or when accessing the ERD update disk (by default, including anyone). For example, if a user is a member of the Administrators group, the Trojan may do anything when he is working on the system.

Recommendations for reducing risk: All accounts with Administrator and backup privileges must not be able to browse the Web. All accounts can only have permissions for the user or PowerUser group.

5. Security vulnerabilities: Anyone who is able to physically access a Windows NT machine may use some tool programs to gain access to the administrator level.

Explanation: There are tools on the Internet that are relatively easy to obtain administrator privileges (such as the ntlocksmith of Ntrecover,winternal software).

Recommendations for reducing risk: improving security measures.

6. Security vulnerability: Reinstall Windows NT software to obtain administrator-level access.

Explanation: Reinstall the entire operating system and overwrite the original system to gain administrator privileges.

Recommendations for reducing risk: improving security measures.

7. Security vulnerability: The default Guest account in the Windows NT domain.

Explanation: If the Guest account is open, when the number of times a user fails to log on is set, he can get guest access to the NT Workstation to enter the NT domain.