Monday, August 16, 2004

The first step is to figure out whether your organization is vulnerable and determine if anyone is exploiting this vulnerability.

If you're running a Web server, you should see numerous NT Authority/Anonymous Event ID 538 (Logoff) and 540 (Logon) entries in the security log of your event viewer. These entries are normal; your Web user account is proxying a request from a user to view Web pages.However, you should not see NT Authority/Anonymous event ID 528 (Logon) Type 3 on your file servers and workstations.
These events indicate that an anonymous user has successfully viewed or connected to a network share.Closing this vulnerability is easy. You can secure your network either through Group Policy or via the local security policy on the machine.Stop anonymous logonsIn Windows 2000 Server and Windows Server 2003, you can disable anonymous logons using Active Directory and Group Policy.

Follow these steps:In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.Select Security Options.Double-click Additional Restrictions

For Anonymous Connections.Change the setting to Do Not Allow Enumeration Of SAM Accounts And Shares.Or, you can make the change locally on a machine without using Group Policy. Follow these steps:Go to Start Run.Enter secpol.msc in the Open text box, and click OK. This opens the Local Security Settings applet.Expand Local Policies, and select Security Options.In Windows 2000, double-click Additional Restrictions For Anonymous Connections, and change the setting to Do Not Allow Enumeration Of SAM Accounts And Shares.In Windows XP, double-click Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares, select Enabled, and click OK.You've now protected your workstations and servers against anonymous user logons.

0 Comments:

Post a Comment

<< Home