|Subject:||Shares, Named Pipes, and Registry for Anonymous Remote Access|
|Posted by:||Will (email@example.com)|
|Date:||Thu, 22 Feb 2007|
I have a trojan I am fighting that replicates by establishing a null
connection to IPC$ on any member server that has File & Printer Sharing
enabled. It then repeatedly tries to invoke one of several buffer
overloads in order to execute code in the SYSTEM context of the targeted
machine. I would like to know how can I safely prevent null connections on
IPC$. I have all five of the enable/disable settings in GPO security set
that forbid anonymous access. Setting those to forbid anonymous is NOT
preventing the trojan from successfully establishing the null connection.
I can see this quite clearly by following its progress in a sniffer on the
attacking machine, and then when the IPC$ connection is established, on the
Windows 2003 DC I quite clearly get an eventviewer message that shows
ANONYMOUS CONNECTION, and the IP of the eventviewer message matches the
Group Policy for Windows XP/2003 contains the following Security Settings
(these names are approximate):
Named Pipes that can be accessed anonymously
Remote access registry paths
Remote access registry paths and subpaths
Shares that can be accessed anonymously
I have the following questions regarding the above:
1) For a domain controller, is it required that any of these be enabled, and
what is the minimum subset of entities that must be exposed?
2) For a member server, same question
3) For Windows 2000 DCs, are most of these just enabled by default and you
cannot change the specific settings?
4) When you deselect the checkbox on this group policy, and simply fail to
define any entities, then what are the defaults that will be in effect?
When I ran RSOP.MSC on one Windows 2003 DC, it had none of these defined
even through its local policy and GPO did not select checkboxes for any of
If the lack of any settings in RSOP.MSC means that nothing is being allowed
for anonymous access, then would I get the same result by enabling the
checkbox, and simply forcing the list of each GPO setting above to be empty?
I'm not clear on what steps if any I should take here to absolutely be sure
that there are no anonymous connections allowed to the member server / DC.
Any insights on this are appreciated.