General discussion

Locked

How does unpriv.user logon interactively

By NT-Gill ·
While syphoning through MS Security bulletins I found this statement from time to time.
"Administrators should apply the patch immediately to machines that allow unprivileged users to log onto them interactively such as workstations." How many scenarios define that statement? Does this mean users are allowed to log locally on to a workstation with no password? Or, is there more to it?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

How does unpriv.user logon interactively

by Antsoair In reply to How does unpriv.user logo ...

They are referring to the Log on Locally user right. These rights are assigned to local groups by default and can be manually set for individuals. You can view these rights in NT by going to Start?Administrative Tools?User Manager. Click on User?Select Domain, and enter the name of the computer you want to examine. Then click on Policies?User Rights and select Log on locally. A list of groups that have that privilege will appear. These are the groups that can log onto your computer at thekeyboard. The users that belong to these groups will still need a valid account and password.

Collapse -

How does unpriv.user logon interactively

by NT-Gill In reply to How does unpriv.user logo ...

Thank you for the info.

Collapse -

How does unpriv.user logon interactively

by Joseph Moore In reply to How does unpriv.user logo ...

This can also refer to the default Anonymous Access that all Windows machines allow.
The default setup is for anonymous access (not having to specify a valid user name/password) to connect to a machine and view its resources.
For example, say you are on \\PC1 and there is another machine on your LAN called \\PC2.
Open up a Command Prompt and type in the following:

NET USE \\PC2\IPC$ "" /U:""

That would set up an anonymous connection from your system to \\PC2. You would get the message "The command completed successfully." if you ran it.
From that point, you could view all shared folders, shared printers, and the user list (the user logon accounts, plus some of their properties) all while being connected as an anonymous user.

Now, this can be done over the Internet also.

So, the whole point is that you do not necessarily need to authenticate to a remote machine with a valid user account. You can do some stuff with a totally anonymous account! And yes, with this anonymous account you can do some potentially evil things. A recent Technet security bulletin (MS02-045) is one such evil thing. You can exploit this vulnerability using an anonymous connection. With this specific flaw, you can BSOD a remote system. But, I don't want to say any more on this!

Collapse -

How does unpriv.user logon interactively

by Joseph Moore In reply to How does unpriv.user logo ...

Now, anonymous connections can be refused by making 1 change in the Registry. In Win2k, you can use the Local Security Policy editor to do this. Open Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Options.
The first entry is "Additional Restrictions for Anonymous Connections." Change it from the None default to either of the options listed. If you have WinNT or Win9x boxes in your network, set it to "Do Not Allow Enumeration of SAM Accounts And Shares" to avoid any OS conflicts.

hope this helps

Collapse -

How does unpriv.user logon interactively

by NT-Gill In reply to How does unpriv.user logo ...

Thank you. This was enlightening.

Collapse -

How does unpriv.user logon interactively

by NT-Gill In reply to How does unpriv.user logo ...

This question was closed by the author

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums