If the Remote Administration is done via Windows NT, authentication uses
Challenge/Response, and no passwords are transmitted period.
If the Remote Administration is done via a client which does not support
Challenge/Response, like Windows '95 or Windows 3.x, then the passwords are
The availability of services on this port is considered to be the single
most insecure thing on NT. However, it is possible to deny access to the
authentication mechanism (and thereby deny access to all RPC-based
services) by unbinding the "Server" service from the external adapter.
I can also say that NT 4.0 will make a lot of people on this list much
happier than they may be today. Please don't ask me for more information,
but trust me when I say there are some new security specific features in
the base product that will make it easier for you to accept one into your
environment. Squeaky wheel gets the oil and all that...;-]