How do I prevent the use of tools like Hyena from gaining ..
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
OK. Our IT Auditors just visted us and with a wealth of information
concerning our AD Domain Accounts, Member Server, info, etc. Fortunately, I
am friendly with one the Auditors and was able find out they obtained this
information. They obtained the information using a tool called "Hyena".
They were able to gather a lot of information with tool, with no elevated
user rights, just domain user accounts? My question is "How do I prevent
ordinary users from using such tools to gain information from our network?"
I find this to be serious security risk, in that anyone with access to our
network can get such information.
OK. Our IT Auditors just visted us and with a wealth of information
concerning our AD Domain Accounts, Member Server, info, etc. Fortunately, I
am friendly with one the Auditors and was able find out they obtained this
information. They obtained the information using a tool called "Hyena".
They were able to gather a lot of information with tool, with no elevated
user rights, just domain user accounts? My question is "How do I prevent
ordinary users from using such tools to gain information from our network?"
I find this to be serious security risk, in that anyone with access to our
network can get such information.
More about : prevent tools hyena gaining
Archived from groups: microsoft.public.win2000.security (More info?)
The issue really is not one of preventing use of such tools, but
of determining which categories of information really do form
a risk by being available and then taking steps so that the system
does not make such info available to a plain user.
Going about it your way does nothing relative to the next tool,
or relative to someone that can script in Windows.
It is easy to react to seeing something like a list of all accounts
and thing this should not be. But what is the risk that it actually
poses? And, if one did, or could, block this what would be the
impact? Notice that one low power account could not easily
manage permissions on things like folders they share, or the
memberships in groups they have been delegated, etc. if they
are not able to list the accounts / query and pick the accounts.
Most information that a limit user has no business accessing
is or can be restricted from them.
--
Roger Abell
Microsoft MVP (Windows Security)
"ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> OK. Our IT Auditors just visted us and with a wealth of information
> concerning our AD Domain Accounts, Member Server, info, etc. Fortunately,
I
> am friendly with one the Auditors and was able find out they obtained this
> information. They obtained the information using a tool called "Hyena".
> They were able to gather a lot of information with tool, with no elevated
> user rights, just domain user accounts? My question is "How do I prevent
> ordinary users from using such tools to gain information from our
network?"
> I find this to be serious security risk, in that anyone with access to our
> network can get such information.
>
The issue really is not one of preventing use of such tools, but
of determining which categories of information really do form
a risk by being available and then taking steps so that the system
does not make such info available to a plain user.
Going about it your way does nothing relative to the next tool,
or relative to someone that can script in Windows.
It is easy to react to seeing something like a list of all accounts
and thing this should not be. But what is the risk that it actually
poses? And, if one did, or could, block this what would be the
impact? Notice that one low power account could not easily
manage permissions on things like folders they share, or the
memberships in groups they have been delegated, etc. if they
are not able to list the accounts / query and pick the accounts.
Most information that a limit user has no business accessing
is or can be restricted from them.
--
Roger Abell
Microsoft MVP (Windows Security)
"ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> OK. Our IT Auditors just visted us and with a wealth of information
> concerning our AD Domain Accounts, Member Server, info, etc. Fortunately,
I
> am friendly with one the Auditors and was able find out they obtained this
> information. They obtained the information using a tool called "Hyena".
> They were able to gather a lot of information with tool, with no elevated
> user rights, just domain user accounts? My question is "How do I prevent
> ordinary users from using such tools to gain information from our
network?"
> I find this to be serious security risk, in that anyone with access to our
> network can get such information.
>
Archived from groups: microsoft.public.win2000.security (More info?)
The other responders to this post were right-on in their excellent
replies.
As the developer of 'Hyena', I had a few other observations:
- Hyena only uses the built-in standard Windows functions to get
information. Chances are that the auditor could also have obtained
this information using Microsoft's tools, or any other 3rd party
administration tool.
- Everyone, especially the IT auditors, need to understand that
security does not involve limiting access to an application or utility,
but rather an understanding of what information a default user can
obtain and if it can be limited, the problems that limiting this
information can pose.
One post correctly pointed out that a list of user and group accounts
is needed to set security on a file/directory, which a normal end-user
may be able to do. A list of network shares is another thing that
normally any user can obtain.
A good way to determine any possible security holes and to be able to
see what rights and limitations a normal 'domain user' has is to run
'Hyena' under such an account.
Kevin Stanush
SystemTools Software Inc.
http://www.systemtools.com
Home of 'Hyena' for Windows Administration
The other responders to this post were right-on in their excellent
replies.
As the developer of 'Hyena', I had a few other observations:
- Hyena only uses the built-in standard Windows functions to get
information. Chances are that the auditor could also have obtained
this information using Microsoft's tools, or any other 3rd party
administration tool.
- Everyone, especially the IT auditors, need to understand that
security does not involve limiting access to an application or utility,
but rather an understanding of what information a default user can
obtain and if it can be limited, the problems that limiting this
information can pose.
One post correctly pointed out that a list of user and group accounts
is needed to set security on a file/directory, which a normal end-user
may be able to do. A list of network shares is another thing that
normally any user can obtain.
A good way to determine any possible security holes and to be able to
see what rights and limitations a normal 'domain user' has is to run
'Hyena' under such an account.
Kevin Stanush
SystemTools Software Inc.
http://www.systemtools.com
Home of 'Hyena' for Windows Administration
Archived from groups: microsoft.public.win2000.security (More info?)
My personnel observation when Microsoft remote registry service and Netbios
are running a user with even just guest rights can scan the network to get a
lot of information such as the shares,user id's, password policy,services
running etc....
"ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> OK. Our IT Auditors just visted us and with a wealth of information
> concerning our AD Domain Accounts, Member Server, info, etc. Fortunately,
> I
> am friendly with one the Auditors and was able find out they obtained this
> information. They obtained the information using a tool called "Hyena".
> They were able to gather a lot of information with tool, with no elevated
> user rights, just domain user accounts? My question is "How do I prevent
> ordinary users from using such tools to gain information from our
> network?"
> I find this to be serious security risk, in that anyone with access to our
> network can get such information.
>
My personnel observation when Microsoft remote registry service and Netbios
are running a user with even just guest rights can scan the network to get a
lot of information such as the shares,user id's, password policy,services
running etc....
"ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> OK. Our IT Auditors just visted us and with a wealth of information
> concerning our AD Domain Accounts, Member Server, info, etc. Fortunately,
> I
> am friendly with one the Auditors and was able find out they obtained this
> information. They obtained the information using a tool called "Hyena".
> They were able to gather a lot of information with tool, with no elevated
> user rights, just domain user accounts? My question is "How do I prevent
> ordinary users from using such tools to gain information from our
> network?"
> I find this to be serious security risk, in that anyone with access to our
> network can get such information.
>
Archived from groups: microsoft.public.win2000.security (More info?)
If you do not enable Guest account in your environment,
and use the policy settings to prevent anonymous logins
from enumerating account, groups, and shares, then you
will not have this problem.
--
Roger Abell
Microsoft MVP (Windows Security)
"Srikrishna Komatineni" <srikrishnak@hotmail.com> wrote in message
news:uNlFdpMdFHA.584@TK2MSFTNGP15.phx.gbl...
> My personnel observation when Microsoft remote registry service and
Netbios
> are running a user with even just guest rights can scan the network to get
a
> lot of information such as the shares,user id's, password policy,services
> running etc....
>
>
> "ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
> news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> > OK. Our IT Auditors just visted us and with a wealth of information
> > concerning our AD Domain Accounts, Member Server, info, etc.
Fortunately,
> > I
> > am friendly with one the Auditors and was able find out they obtained
this
> > information. They obtained the information using a tool called "Hyena".
> > They were able to gather a lot of information with tool, with no
elevated
> > user rights, just domain user accounts? My question is "How do I
prevent
> > ordinary users from using such tools to gain information from our
> > network?"
> > I find this to be serious security risk, in that anyone with access to
our
> > network can get such information.
> >
>
>
If you do not enable Guest account in your environment,
and use the policy settings to prevent anonymous logins
from enumerating account, groups, and shares, then you
will not have this problem.
--
Roger Abell
Microsoft MVP (Windows Security)
"Srikrishna Komatineni" <srikrishnak@hotmail.com> wrote in message
news:uNlFdpMdFHA.584@TK2MSFTNGP15.phx.gbl...
> My personnel observation when Microsoft remote registry service and
Netbios
> are running a user with even just guest rights can scan the network to get
a
> lot of information such as the shares,user id's, password policy,services
> running etc....
>
>
> "ArizonaRay" <ArizonaRay@discussions.microsoft.com> wrote in message
> news:87A568C5-E256-474C-92CC-C272BB732E27@microsoft.com...
> > OK. Our IT Auditors just visted us and with a wealth of information
> > concerning our AD Domain Accounts, Member Server, info, etc.
Fortunately,
> > I
> > am friendly with one the Auditors and was able find out they obtained
this
> > information. They obtained the information using a tool called "Hyena".
> > They were able to gather a lot of information with tool, with no
elevated
> > user rights, just domain user accounts? My question is "How do I
prevent
> > ordinary users from using such tools to gain information from our
> > network?"
> > I find this to be serious security risk, in that anyone with access to
our
> > network can get such information.
> >
>
>
Related ressources:
- ForumSimBin's GT Legends will prevent Windows 7 from booting...
- ForumHow to prevent malware from running on your PC
- ForumAMD TO CONTINUE GAINING SHARE FROM INTEL
- ForumHow to prevent a drive from showing up on the network?
- ForumYAVP - my first! (33 Dwarven Healer)
- ForumWould a firewall prevent Sasser worm?
- ForumHELP, Hacked with machine account
- ForumPrevent access to USB HDD
- ForumDoes copyright law really prevent a user from PRINTING/CON..
- Forumhow do u prevent dusts in ur pc case?
- ForumPrevent user(s) from modifying Windows Vista
- ForumHow to prevent skype's violation-Skype bypasses Firewall
- Forumadministrator account hidden
- ForumHow to prevent prevent Files or Folders from being deleted..
- ForumHow to prevent executing REG files
- ForumParallel and com ports not appearing in device manager
- ForumSecurity problems from XP to 2000
- ForumHow good is AOL's firewall and anti-spyware
- ForumHow to block all traffic but SQL Server
- ForumHow to save (i.e., back up) an IPSec policy
- More resources
!
