[Dshield] Windoze Questions...SAMBA + Windows AD Question

Al Reust areust at comcast.net
Tue Feb 17 04:49:04 GMT 2004



At 09:46 AM 2/17/2004 +1000, you wrote:
>Since the latest 'critical' update, I have noticed that snort reveals a
>'[1:538:7] NETBIOS SMB IPC$ share access (unicode)' connect to my SMB server
>that was not hapenning before (7:35 am, 8:06am, 8:38am). I don't set up a
>domain, only a peer workgroup, the Win 2000/XP takes over the management,
>and the firewall does the DHCP. It seems like the days of remote
>administration are gone and everybody needs to block off external access
>(reject everything from the outside in a secure network) and employ more
>technical staff.

If you use remote administration, it is Good thing that Snort tells you 
someone hooked into IPC$. It should be (the remote IP) within your IP range 
(DHCP or known remote IP's), if it outside your IP range then you have a 
compromised system and the IP where it came from. Depending on your actual 
setup you could be seeing something that is quite normal (internal 
application touching the server). Another name for the reported IPC$ 
connection is RPC, so if the box is a Virus Server and the client machine 
is set to update virus signatures when a user logs onto the local machine. 
You end up with a valid "Server Message Block" transaction. So without the 
actual packet it is hard to guess what really happened. If only one 
"internal" machine (all having the same patch applied) is filing the Alert, 
then you may have a corrupt DLL (unpacking) during the install. That single 
machine needs to be investigated. Depending on the OS Version, MS provides 
a utility called QFECheck that will test and respond with the defective 
patch identification.

However to remove those pesky administrative/hidden shares, Microsoft 
explains how to create Hidden or Remove them (yes some registry editing is 
required and once you have accomplished that you can replicate it)

So as you are on a "peer workgroup" you may be able to remove a lot of 
"that stuff" without impacting the people connecting to what they need. So 
there are alternatives. The basic idea would be that un-wanted shares are 
removed, unwanted/un-needed services are disabled, a fairly strong "local 
policy" is applied to each machine. "Everyone/World" is removed and 
replaced by "Authenticated Users," Servers/Files (in whatever form) would 
have "machine/group/user" accounts for only those that need them and 
permissions set accordingly. The "Administrator" account has the stupid 
comment removed and renamed, the "Guest" account has a very strong password 
and is disabled. Depending on the situation and the number of machines you 
could install a "Personal Firewall" on each. Please Note, that I did not go 
into how to make it just a "TCP/IP" network but that is something to be 
considered. You stated Win2K/XP so that is also possible.

So without opening the VPN (for remote admin) or the Ports battles. Yes 
SANS should have a "guidance" page or two. You can have a moderately secure 
network that "will" resist the bulk of what is thrown at it. It takes a bit 
of information, some research, a little time, sometimes patience to figure 
out what happened and then why. Then more patience explaining "tactfully" 
to the "quote" "CIO/CTO/Equivalent" that their policy has now "proven" as a 
very Bad Choice and why.. Otherwise we are all in the "wrong" business..

Yes our mileage vary's, some days we actually make headway. Many quote 
"administrators and/or users" learned "how" to make it work, they did not 
learn "how" to make work securely (added complexity). While there are times 
I have been tempted to just say "You are a Moron," throwing my hands up in 
the air and walking away. I continued to help them. We have learned that we 
can pick the battles and win, then security happens with one person or a 
small piece at a time. Over time, "learning, education and trust" happens; 
then we can actually make a large difference.. Education and Patience are 
our best hope!

So now that you have gotten that out of your system. Are there questions 
that we can help with.



>Unfortunately, if someone sends you an email on a win machine that has linux
>code attached, and you scan the mail (in MS-RAV) on linux, this can possibly
>work as the trigger for a 'virtual' trojan type virus.  I contacted Vet
>about something that they missed (over 2 months ago) on an XP machine and
>RAV choked. I received no response. Of course all of the same is applicable
>for Unix/Win as it is for Win/Unix.
>Dial up or Thin client seems to be the only real way out of this mess
>(unless 'they' wake up to themselves and remove their feral 'patches' the
>best solution is to ditch Windoze). Does anybody still use banks of modems?
>My 'Plan B' is to revert to dial up access. It 'looks' like anything
>connected to a Win 2000/XP via broadband is vulnerable, and it also seems
>like there are a lot of trustworth people and companies that have been
>co-opted into another 'preemptive strike' for no real reason, apart from the
>p.s. I have a funny feeling that the states who use electronic voting will
>count about 4 times more votes than the rest of the states that don't
>combined. How could any competent software engineer/developer design a
>system without an audit trail, and expect it to work, let alone debug it in
>the first place.
>----- Original Message -----
>From: "John Holmblad" <jholmblad at aol.com>
>To: "General DShield Discussion List" <list at dshield.org>
>Sent: Sunday, February 15, 2004 7:35 AM
>Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
> > Laurie,
> >
> > your post prompts a question from me concerning the use of Linux/SAMBA
> > as a file server on a Microsoft network. As you may be aware, Samba-3
> > supports Windows Active Directory and a SAMBA file server can be a
> > member computer of an AD domain.Given this capability,  I am interested
> > in knowing  whether it is possible for a Linux server that is running
> > Samba -3 and which is joined as a computer to an AD domain to be the
> > target machine for the folder redirection feature under Windows Group
> > Policy? Have you tried doing this on your network?
> >
> > The idea here, building upon your point that Linux systems are generally
> > protected from Windows targeted malware, is to achieve an additional
> > layer of security ("security through OS diversity" if you will) by
> > having most or  all Windows 2000/XP users folders automatically mapped
> > to one or more Linux/SAMBA systems using the GP feature. For those
> > sensitive  folders that could not be re-mapped for performance reasons,
> > then  Windows Encrypting File Service could be used to protect such
> > files against theft.
> > --
> >
> > Best Regards,
> >
> >
> >
> > John Holmblad
> >
> >
> >
> > Televerage International
> >
> >
> >
> > (H) 703 620 0672
> >
> > (M) 703 407 2278
> >
> > (F) 703 620 5388
> >
> >
> >
> > www page:                      www.vtext.com/users/jholmblad
> >
> > primary email address: jholmblad at aol.com
> >
> > backup email address:  jholmblad at verizon.net
> >
> >
> >
> > text email address:         jholmblad at vtext.com
> >
> >
> >
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list