COMMAND

    Obtaining user list

SYSTEMS AFFECTED

    Win NT server

PROBLEM

    Steve Thomas reported  about interesting Microsoft  "feature" that
    allows anyone running NT server  as a domain controller to  obtain
    a  complete  user  listing,  including  group  memberships, of any
    other NT server on the same network.  Here's how it is done:


    1.  Connect an  NT server  to the  same network  as the target  NT
	server.

    2.  From  the USER MANAGER,  create a trusting  relashionship with
	the target.  When prompted for a password, enter whatever  you
	want; it doesn't matter.  You will get a response stating that
	NT couldn't verify the trust  (this is because of the  invalid
	password).  However, the target  will now be on your  trusting
	list.

    3.  Launch NT Explorer and right click on any folder.

    4.  Select SHARING.

    5.  From the SHARED window, select ADD.

    6.  From the ADD menu, select your target NT server.
	(SECURITY/PERMISSIONS/ADD/DOMAIN=TARGETED DOMAIN)

    7.  You will  now see  the entire  group listing  of the   target.
	And if  you select  SHOW USERS,  you will  see the entire user
	listing, including full names and descriptions.

    Steve has tested this exploit  on three target NT servers  running
    on different networks,  all with successful  results. With a  user
    listing (including full names, descriptions and group memberships)
    a hacker now has valid accounts to attack.

SOLUTION

    The sec-fix does fix this problem.  Also SP3 should as well.