SMB Guest Login

Article:TECH95661  |  Created: 2009-01-20  |  Updated: 2009-01-20  |  Article URL http://www.symantec.com/docs/TECH95661
Article Type
Technical Solution


Environment

Issue



A user would like to know what the following message means: "[SID: 21545] SMB Guest Login detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe"

Symptoms
This signature detects users making attempts to connect to a share using the username credentials "Guest". The Guest account is disabled by default on most Windows installations.



Cause



Several vendors poorly apply the Windows access control model to their services. A common mistake is to assign the SERVICE CHANGE CONFIG permission indiscriminately to services. A normal, unprivileged user is a part of the Authenticated Users group, and, hence, a normal user can configure the executable and the account under which these services run. The SCM Manager API provides functionality to create a new service, change the service configuration of a service, etc. The SCM Manager is exposed remotely via the named pipe svcctl. Thus, it is possible for a user to connect to the target system as a "Guest" user and change the configuration settings for the weak service using the named pipe svcctl. Note: A user logged in as a Guest belongs to the "Authenticated Users" group.

Solution



Verify that the "Guest" user account on the target system is not enabled.


References
Security Response: SMB Guest Login





Legacy ID



2009082013100248


Article URL http://www.symantec.com/docs/TECH95661


Terms of use for this information are found in Legal Notices