Great Circle Associates Firewalls
(November 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: W4Wg security issues?
From: johns @ oxygen . house . gov (John Schnizlein)
Date: Fri, 4 Nov 1994 17:54:44 -0500
To: firewalls @ GreatCircle . COM, steve @ interaccess . com

> I was playing around with the new Microsoft 32bit TCP/IP drivers under
> Windows for Workgroups, and decided to delete the NetBEUI and IPX protocols.
> Much to my surprise, the W4WG file sharing and printer sharing
> kept on rocking.
  ^^^^^^^^^^^^^^
This is a good thing. it means Microsoft really supports IP.
> 
> I was extremely shocked when I found that I could share drives off an
> Internet exposed Windows NT Advanced Server box using TCP/IP, _without_
> enabling anything on the NTAS side.  I dont know the first thing about W4WG
> networking (or how to firewall it), and I'm more than slightly scared that
> this will become another NFS/RPC security nightmare.  A few misplaced mouse
> clicks ('Yes, I will share network drives') allows _ANYONE_ on the internet
> to read and write to any drive on a W4WG machine.  Aack.

Yes, the convenience poses a great risk to exposed machines.
No, it is not nearly as bad a problem as NFS/RPC because it does not use
random dynamic ports (registered with the portmapper).
The Microsoft services are usually offerred over tcp port 139 on the NTAS.
Blocking access to this port is prudent.

It is also imprudent to configure an NTAS to share indiscriminantly.
If you use the Microsoft domain authority mechanisms,
you gain OS authentication of users attempting to acquire services.
I cannot vouch for this authentication, but they are proud of its features;
one of which is some encryption of passwords exchanged between client & server.
Configuring the NTAS as its own domain master seems to prevent casual access.
The hierarchy of trust implied by multiple servers in a domain appears
to entail the normal issues of hierarchy (we don't use it).

> 
> Where would I start to find out more about these machines?  I'm going to
> drop a packet sniffer on our networks to try to discover what is happening,
> but thats a pretty lousy way to learn about a network service.  Any ideas?

Another thing you should do, since these NTAS try so hard to be helpful,
is scan the TCP ports on the server to see what other services it offers.

I read Helen Custer's book on NT internals for the flavor of the OS.
I hear rumors that a companion book will explain NT networking details.
Watching and waiting ...
(-: Have you Microsoft people gotten on this mailing list yet? :-)

Indexed By Date Previous: Re: Sidewinder: The Challenge
From: H Morrow Long <long-morrow @ CS . YALE . EDU>
Next: Re: Firewalls built on SCO UNIX
From: prologic!sar @ uunet . uu . net
Indexed By Thread Previous: Re: W4Wg security issues?
From: Gregg Rosenberg <gregg @ interaccess . com>
Next: Re: W4Wg security issues?
From: Richard Huddleston <reh @ wam . umd . edu>

Google
 
Search Internet Search www.greatcircle.com