| VID |
24031 |
| Severity |
30 |
| Port |
139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The registry key HKLM\SOFTWARE\Microsoft\Windows NT\WinLogon\SFCDisable has its value set to 0xffffff9d. This probably means that the host has been compromised. The special value, 0xffffff9d disables the Windows File Protection (WFP), which prevent certain monitored system files from deleting or replacing as a new feature of Windows 2000. By preventing the replacement of essential system files, file version mismatches can be avoided and system integrity can be better maintained. Protecting system files is important in preventing security attacks, and thus prevent potential intrusion.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.iss.net/security_center/static/4138.php
http://support.microsoft.com/support/kb/articles/Q222/4/73.ASP
http://oliver.efri.hr/~crv/security/bugs/NT/reg3.html |
| Recommendation |
Enable system file checking in the Windows Registry.
To enable system file checking:
1. Using Regedit, find the \HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon registry key.
2. Find the registry entry named SFCDisable.
3. Change the value to "0" to require Windows to always perform system file check. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
