[PacMan03]

Weak NT pass isn't really a software exploit, it's a user exploits. It exploits users that use weak passwords. As far as I know, the only way to secure yourself against the "weak NT pass" attack is to use a strong password.

[thatsmej]

just disable the "server" service

[=k3Rn=]

hm can you tell me what consequenses there are when disabeling the "server" service?
what could it be used for?

and i am still wondering what service / share or something dameware uses to connect to hosts. (and then i want to close that entry point)

[z0mbi3]

i think dameware uses port 139 to enter thru admin$ shares...
thus if you have the username and password you will be able to access that share..

the thing is some isps block 139 whereas some do not
port 139 is netbios(network basic input output system)

so if you use a firewall and block this then you won't be attacked..unless you have a crap firewall



l8r. :P

[=k3Rn=]

@blasta: nonsens!


i am quite sure dameware uses ipc$ share to connect. but i have problems to delete that share. net share ipc$ /delete even doesn't work on my system (access denied).
i thought this key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RestrictAnonymous"=dword:00000001
disables the ipc$ share but this seems to be wrong.

[Sh4dowWalker]

lol BlaStA, yeah, disable Dameware Mini Remote Control service. Hey... tell me one thing - how do you want to disable it if it's not installed yet? I really wonder how you'll do that.
Dameware may install this service AFTER it connects succesfully to target machine.

Hmm... this method with using psexec is even more interesting. So you're saying that if i want to prevent my comp from Dameware access i need to use psexec. :D :lol: Yeah right and what will i execute with psexec? =k3Rn= wants to prevet access by Dameware to his comp.


=k3Rn=, i'm using one additional registry key you didn't mentioned here (with the rest of course).

Quote

System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]Name: RestrictAnonymousSAM
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Set it to 1 and this will prevents against enumerating sam accounts. BTW "RestrictAnonymous"=dword:00000001 is not disabling ipc$ share but doesn't allow anonymous users to list domain user names and enumerate share names.

As for Server service you asked about, here's some info about it that should helps.

Quote

Server
Used for file and print sharing from your computer. For security purposes, you may disable this
service if you do not require local printers and files shared across your network. Connectivity,
however, still exists even on incoming shared network drives. Workstation needs to be running
to connect to another computer that has the files you are looking for. Note: If you disable File
and Print sharing, the Server Service may disappear from the Services listing. Just enable File
and Print sharing again and the Server Service will return.
Default 2000 Server: Automatic
Default 2000 Pro: Automatic
Safe Setting: Automatic
Dependencies:
What service Server needs to function properly:
None
What other services require Server to function properly:
� Computer Browser
� Message Queuing

I have disabled this one.
Here's some extra info about these Computer Browser and Message Queuing services to prevent further questions ;)

Quote

Message Queuing
May be used on some domains, but the �average� home user will never need this service.
Default 2000 Server: Not Installed
Default 2000 Pro: Not Installed
Safe Setting: Not Installed
Dependencies:
What services Message Queuing needs to function properly:
� Distributed Transaction Coordinator
o Remote Procedure Call (RPC)
o Security Accounts Manager
� NT LM Security Support Provider
� Protected Storage
o Remote Procedure Call (RPC)
� Remote Procedure Call (RPC)
� Server
What other service require Message Queuing to function properly:
� None

Computer Browser
Computer Browser service maintains a listing of computers and resources located on the
network. This service is not required on a standalone system. In fact, even if you want to browse
the network (workgroup or domain) or have mapped network shares as local hard drives, you can
still do so. On a large network, one computer is designated the �master� browser and another one
is the �backup� browser. All others just announce they are available every 12 minutes to �take
over� duties if one of the other computers fail. No lag time is discernable if this service remains
disabled on all but one computer. Honestly, I do not even believe one needs to be running. You
could, �just in case,� but it sure does not need to be running on all computers, all of the time.
Default 2000 Server: Automatic
Default 2000 Pro: Automatic
Safe Setting: Disabled
Dependencies:
What services Computer Browser needs to function properly:
� Server
� Workstation
What other service require Computer Browser to function properly:
� None

For Dameware not to work you only need to disable Server service (keep in mind that for some internet uses or some programs may need this service to ran on your machine). Additional system securing with these registry keys and setting up a good admin password is good to be done too.

Ahhh.. and you can also disable Messenger service. If i remember correctly there was some flaw in it discovered recently. It can be used for spamming for example.

Quote

Messenger
This service provides the ability to send messages between clients and servers. This service
needs not to be running under normal �home� conditions. It is also advisable to make this service
go away to avoid the possibility of �net send� messages hitting your computer from the internet.
This has nothing to do with MSN Messenger, nor is it �WinPopUp."
To test for this security vulnerability, at the command prompt, (run: cmd.exe) type:
net send 127.0.0.1 hi
If you get a popup �hi� message, you should disable the Messenger service.
If you get an error stating, �The message alias could not be found on the network,� you are safe.
If, for whatever reason, you need the Messenger service running but wish not to have spam
popups active, you can disable the particular ports at your firewall. The Messenger service uses
UDP ports 135, 137, and 138; TCP ports 135, 139, and 445.

Ok, i think this should help you. For me it works great. Maybe there's some other way too....

Peace

[Sh4dowWalker]

BlaStA (Se)...
Then try your DameWare on new machine. And what have you got (I assume you knew admin l/p)? Tada - it will ask you about installing this service first. This service allows DameWare to do some remote administration thingy. BTW there's one more service that may be installed by DameWare (depends how do you want to use dameware)

Of course disabling will help AFTER DameWare was installed. But it will help you only until another DameWare Access try. =k3Rn= wants to prevent his machine to be accessed by DameWare. BlaSta, assume that the machine we want to protect against DW is clean from it, then how do you want to protect it? By disabling nonexisted service?

Here's a little info about both services
Dameware Mini Remote Control Service - DWRCS.EXE - this one comes when you want remote desktop
Dameware NT Utilities Service - DNTUS26.EXE - and this one is installed after first use of remote command.
They're using Admin$ share when trying to install.

[Susboy]

thatsmej, on Oct 22 2003, 11:29 AM, said:

just disable the "server" service

^ Prolly the best way to secure yourself.
Or have a batch running on start up running:

net share c$ /delete /y
net share d$ /delete /y
net share admin$ /delete /y
net share ipc$ /delete /y

etc etc. But the best would be closing ports 138 139 445 so they cant even scan for passes/connect to you.

[=k3Rn=]

thx for your reply shadowwalker - intresting!

[WaZa]

u may think deleting the shares is the best way to secure, but shares are created by sysop probably becuase he needs them. if he notices his shares down, he will prbably just recreate them, and if he notices them disabled more than once, he may get suspicous of a hacker ;)

[=k3Rn=]

i only remove the admin shares
c$
admin$
ipc$

they are not needed

[net]

weak pw is very relative though.. :) because the longer the hacker scanns the weaker your pw gets ;)

but using a long pw with 10 or more characters would protect you kinda well..

removing the shares also helps but don't forget that the shares are added again on every reboot.. you would have to create a batch that runs on every sys boot


greetz