9.8 Windows Networking Services Countermeasures

  • Filter public or nontrusted network access to high-risk services, especially the MSRPC service that are accessible through TCP and UDP port 135, and the NetBIOS session and CIFS services (TCP ports 139 and 445), which can be attacked and used to compromise Windows environments.

  • Ensure local administrator accounts passwords are set because these are often set to NULL on workstations when domain authentication is used. If possible, disable the local computer Administrator accounts across your network.

  • Enforce a decent user account lockout policy to minimize the impact of brute-force password-grinding attacks.

Here are Microsoft RPC service-specific countermeasures:

  • If RPC services are accessible from the Internet, ensure that the latest Microsoft security patches relating to RPC components are installed. At the time of writing, these are MS03-026 and MS03-039.

  • Disable the Task Scheduler and Messenger services if they aren't required. The Task Scheduler can be used by attackers to remotely execute commands upon authenticating, and both services have known memory-management issues.

  • Disable DCOM support if it isn't required because this will minimize the current and future threat presented by RPC service attacks (such as the Blaster worm in 2003). Microsoft KB article 825750 discusses this; you can find it at http://support.microsoft.com/default.aspx?kbid=825750.

  • Be aware of threats presented by RPC over HTTP functionality within Microsoft IIS web services (when COM Internet Services is installed). Ensure that the RPC_CONNECT HTTP method isn't allowed (unless required) through any publicly accessible web services in your environment.

Here are NetBIOS Session and CIFS service-specific countermeasures:

  • Enforce RestrictAnonymous=2 under Windows 2000, XP, and 2003 hosts to prevent enumeration of system information through NetBIOS. The registry key can be found under HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Microsoft KB articles 246261 and 296405 should be reviewed and are accessible from http://support.microsoft.com.

  • Enforce NTLMv2 if possible. Fast multithreaded brute-force tools, such as SMBCrack, take advantage of weaknesses within standard NTLM, and therefore don't work against the cryptographically stronger NTLMv2.

  • Rename the Administrator account to a nonobvious name (e.g., not admin or root), and set up a decoy Administrator account with no privileges.

  • The Microsoft Windows 2000 Resource Kit contains a tool called passprop.exe, that can lock the administrator account and prevent it from being used across the network (thus negating brute force and other attacks), but still allows administrator logons locally at the system console. To lock the administrator account in this way, issue a passprop /adminlockout command.