SMB Guest Login
|Article:TECH95661|||||Created: 2009-01-20|||||Updated: 2009-01-20|||||Article URL http://www.symantec.com/docs/TECH95661|
A user would like to know what the following message means: "[SID: 21545] SMB Guest Login detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe"
This signature detects users making attempts to connect to a share using the username credentials "Guest". The Guest account is disabled by default on most Windows installations.
Several vendors poorly apply the Windows access control model to their services. A common mistake is to assign the SERVICE CHANGE CONFIG permission indiscriminately to services. A normal, unprivileged user is a part of the Authenticated Users group, and, hence, a normal user can configure the executable and the account under which these services run. The SCM Manager API provides functionality to create a new service, change the service configuration of a service, etc. The SCM Manager is exposed remotely via the named pipe svcctl. Thus, it is possible for a user to connect to the target system as a "Guest" user and change the configuration settings for the weak service using the named pipe svcctl. Note: A user logged in as a Guest belongs to the "Authenticated Users" group.
Verify that the "Guest" user account on the target system is not enabled.
Security Response: SMB Guest Login
Article URL http://www.symantec.com/docs/TECH95661