Sign in with
Sign up | Sign in
Your question

Blocking port scans on local network

Tags:
  • Domain
  • Security
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 30, 2004 10:33:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

We have some wonderful auditors in our building who will be testing our
network security (Sarbanes-Oxlely is the bane of my existence).

I noticed that one of the auditors had a copy of SolarWinds Engineering
Edition Toolset. I suspect that they will be scanning my network etc... I ran
one of the SolarWinds browsing utilities on my domain controller and was
suprised at the information it returned. Specifically, it returned all of the
users accounts in my domain! It did not return any specific information on
those accounts but, a simple account list was still a great suprise to me.
All of this while using an account not in my domain and on a machine that is
not a member of my domain.

The auditors do not log into my domain and their machines are not members of
my domain. HOWEVER, their machines are issued an IP address from my DHCP
server and they can access the Internet.


QUESTION:

Is there a way to block access to my servers (Port Scans etc..) from
machines that are not member of the domain without adversly affecting my
users? Using domain or group policy in the solution would be desirable.

If not, what measures can I take that will limit them to Internet access only?

Any and all suggestions would be greatly appreciated.

Thank you,
--
TB0NE

More about : blocking port scans local network

November 30, 2004 11:09:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Most likely they are connecting with null sessions, which is quite easy to
do. A good read on null sessions is at www.minasi.com. You'll need to
register, but it's free. Search there for 'null sessions'.

"TB0NE" wrote:

> We have some wonderful auditors in our building who will be testing our
> network security (Sarbanes-Oxlely is the bane of my existence).
>
> I noticed that one of the auditors had a copy of SolarWinds Engineering
> Edition Toolset. I suspect that they will be scanning my network etc... I ran
> one of the SolarWinds browsing utilities on my domain controller and was
> suprised at the information it returned. Specifically, it returned all of the
> users accounts in my domain! It did not return any specific information on
> those accounts but, a simple account list was still a great suprise to me.
> All of this while using an account not in my domain and on a machine that is
> not a member of my domain.
>
> The auditors do not log into my domain and their machines are not members of
> my domain. HOWEVER, their machines are issued an IP address from my DHCP
> server and they can access the Internet.
>
>
> QUESTION:
>
> Is there a way to block access to my servers (Port Scans etc..) from
> machines that are not member of the domain without adversly affecting my
> users? Using domain or group policy in the solution would be desirable.
>
> If not, what measures can I take that will limit them to Internet access only?
>
> Any and all suggestions would be greatly appreciated.
>
> Thank you,
> --
> TB0NE
Anonymous
a b 8 Security
November 30, 2004 12:23:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks BitWise.

That pointed me in the right direction. The main jist seemed to suggest a
registry change. There was a broken link posted by Mark Minasi that I'd like
to read but can't( http://www.minasidownloads.com/nws0312.htm ) It also
brings up a related question concerning Local and Domain Security Policy.
This does the same as the registry change and can be applied across the
entire domain. I'll explain...

There is a policy under Security Options in both the Local and Domain
Security Policy snap-in called "Additional restrictions for anonymous
connections" that can restrict SAM account and share enumerations. Do you (or
does anyone) know of any negative ramifications if I choose to restrict
'enumeration of SAM accounts and shares"? I am running in a pure Windows 2000
environment (Clients and Servers).

If I am running pure a W2K domain, will I see any changes in browsing or
other network services? Will this prevent non-domain users and machines from
retreiving SAM and share information?

Thanks again!

"BitWise" wrote:

> Most likely they are connecting with null sessions, which is quite easy to
> do. A good read on null sessions is at www.minasi.com. You'll need to
> register, but it's free. Search there for 'null sessions'.
>
> "TB0NE" wrote:
>
> > We have some wonderful auditors in our building who will be testing our
> > network security (Sarbanes-Oxlely is the bane of my existence).
> >
> > I noticed that one of the auditors had a copy of SolarWinds Engineering
> > Edition Toolset. I suspect that they will be scanning my network etc... I ran
> > one of the SolarWinds browsing utilities on my domain controller and was
> > suprised at the information it returned. Specifically, it returned all of the
> > users accounts in my domain! It did not return any specific information on
> > those accounts but, a simple account list was still a great suprise to me.
> > All of this while using an account not in my domain and on a machine that is
> > not a member of my domain.
> >
> > The auditors do not log into my domain and their machines are not members of
> > my domain. HOWEVER, their machines are issued an IP address from my DHCP
> > server and they can access the Internet.
> >
> >
> > QUESTION:
> >
> > Is there a way to block access to my servers (Port Scans etc..) from
> > machines that are not member of the domain without adversly affecting my
> > users? Using domain or group policy in the solution would be desirable.
> >
> > If not, what measures can I take that will limit them to Internet access only?
> >
> > Any and all suggestions would be greatly appreciated.
> >
> > Thank you,
> > --
> > TB0NE
November 30, 2004 1:29:10 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The link you posted is the exact document you should read. This should answer
all your questions and point you in the right path. The url I have is
http://www.minasi.com/showdoc.asp?docname=nws0312.htm
If this doesn't take you to it, go to http://www.minasi.com/archive.htm ,
sign in and in the search field type 'null sessions'. It should be the first
hit. I had no problems getting to this doc. GL

"TB0NE" wrote:

> Thanks BitWise.
>
> That pointed me in the right direction. The main jist seemed to suggest a
> registry change. There was a broken link posted by Mark Minasi that I'd like
> to read but can't( http://www.minasidownloads.com/nws0312.htm ) It also
> brings up a related question concerning Local and Domain Security Policy.
> This does the same as the registry change and can be applied across the
> entire domain. I'll explain...
>
> There is a policy under Security Options in both the Local and Domain
> Security Policy snap-in called "Additional restrictions for anonymous
> connections" that can restrict SAM account and share enumerations. Do you (or
> does anyone) know of any negative ramifications if I choose to restrict
> 'enumeration of SAM accounts and shares"? I am running in a pure Windows 2000
> environment (Clients and Servers).
>
> If I am running pure a W2K domain, will I see any changes in browsing or
> other network services? Will this prevent non-domain users and machines from
> retreiving SAM and share information?
>
> Thanks again!
>
> "BitWise" wrote:
>
> > Most likely they are connecting with null sessions, which is quite easy to
> > do. A good read on null sessions is at www.minasi.com. You'll need to
> > register, but it's free. Search there for 'null sessions'.
> >
> > "TB0NE" wrote:
> >
> > > We have some wonderful auditors in our building who will be testing our
> > > network security (Sarbanes-Oxlely is the bane of my existence).
> > >
> > > I noticed that one of the auditors had a copy of SolarWinds Engineering
> > > Edition Toolset. I suspect that they will be scanning my network etc... I ran
> > > one of the SolarWinds browsing utilities on my domain controller and was
> > > suprised at the information it returned. Specifically, it returned all of the
> > > users accounts in my domain! It did not return any specific information on
> > > those accounts but, a simple account list was still a great suprise to me.
> > > All of this while using an account not in my domain and on a machine that is
> > > not a member of my domain.
> > >
> > > The auditors do not log into my domain and their machines are not members of
> > > my domain. HOWEVER, their machines are issued an IP address from my DHCP
> > > server and they can access the Internet.
> > >
> > >
> > > QUESTION:
> > >
> > > Is there a way to block access to my servers (Port Scans etc..) from
> > > machines that are not member of the domain without adversly affecting my
> > > users? Using domain or group policy in the solution would be desirable.
> > >
> > > If not, what measures can I take that will limit them to Internet access only?
> > >
> > > Any and all suggestions would be greatly appreciated.
> > >
> > > Thank you,
> > > --
> > > TB0NE
!