General discussion

Locked

Blank (unnamed) user accessing NT 4.0 sh

By RedEyes ·
Server Manager (and netwatch.exe) shows a user without a name simultaneously logged in at several machines accessing network shares all over the domain. All clients are NT Workstation SP4 or higher. PDC and BDC are NT4 Server SP6a. NO DHCP, but WINSis running on the PDC. No user has local access privilege to any workstation ? everyone must authenticate to the domain. The unnamed user has both read and write access to various files (no pattern) in each share. Are there any system accounts that don?t identify themselves? What are some possible explanations?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by guy In reply to Blank (unnamed) user acce ...

Are you sure its not one named user, who has multiple instances, that is one account logging on to multiple shares, and their name is only recorded once, the 'unnamed' references are like ditto, the user above?

Who has used User Manager lately? What did they do?

Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by RedEyes In reply to Blank (unnamed) user acce ...
Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by zk In reply to Blank (unnamed) user acce ...

I am not very sure exactly how you found out "read and write access to various files". Did he show up it User Manager with read write access? Or in the share's permission he/she/it shows up with Full Control? But, I will give it a shot anyway. Hehe.

The user you are referring to might be null user. This is NT's equivalent of anonymous. Sometimes NT machines use blank user with blank password to talk to each other. This logging in as blank user can take place over tcp port 139 (Netbios Session).

If you look at server manager or netwatch closely you will see that __ from \\computer as a user. The share will very likely be IPC$. IPC$ is not a physical share that you can read or write to. It is the Inter Process Communication that NT machines uses to find out information about other NTs. Seems like there are more of these on servers like proxy.

To verify the above type w/o brackets (net use \\computer\ipc$ "" /user:"" ) and u will see "command completed successfully". With this account you can check

Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by RedEyes In reply to Blank (unnamed) user acce ...

zmoo -- I'm giving you half the points (see your continuation) because you gave it the "old college try..." I should have mentioned in my description that the IPC$ share wasn't my concern, but that actual documents were in use by the "phantom user" who, by the way, still happens to be "logged in" from several machines (along with each PC's expected user) even as I write this comment. I also have what I believe to be more-than-adequate firewall protection in place -- at least I know that port 139 is slammed shut.
Thanks for your input. I think these forums are a great idea.

Arnie

Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by zk In reply to Blank (unnamed) user acce ...

Oops! not enough space. Continuation from above.

shares without even logging in! and do some interesting things :-). Applications could also log in as a null user.

Do a net view \\computer. Viola! Most experts here call this red button vulneralbility or null session connection. Therefore, if your computer is connected to the net, disable netbios interface on the adapter with the internet address. As long as port 139 is open anybody can do this.

Even if you enable auditing on everybody it is still very hard (ok, at least for me!) to track this null user by logon/off. I think you need to catch it with object access. (Not so sure though).

Well, this is what I think it is. Other people will surely have better answers.

Hope That Helps.

Collapse -

Blank (unnamed) user accessing NT 4.0 sh

by RedEyes In reply to Blank (unnamed) user acce ...

zmoo -- I'm giving you half the points because you gave it the "old college try..." I should have mentioned in my description that the IPC$ share wasn't my concern, but that actual documents were in use by the "phantom user" who, by the way, still happens to be "logged in" from several machines (along with each PC's expected user) even as I write this comment. I also have what I believe to be more-than-adequate firewall protection in place -- at least I know that port 139 is slammed shut.
Thanks for your input. I think these forums are a great idea.

Arnie

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums