| VID |
27012 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A Domain User account with no password exists, and it's possible to log into the system with the account.
Domain account is given logon privileges to a domain and access privileges to all resources in the domain for which they have been granted access. This account information is stored in the active directory on the domain controller. Account management and password management is important in preventing unauthorized access to your system. If user account with no password exists, attackers can guess the password and log on the system. And they may access restrictedly sensitive information and system resources with the user privileges.
This check attempts to log on using null password remotely for only domain user accounts, and displays the name of the accounts that logged on successfully.
* References:
http://www.iss.net/security_center/static/1362.php |
| Recommendation |
Disable this account if it is not needed or change password to be difficult to guess.
To disable the account
For a Windows NT:
1. Open User Manager.
2. Select the user from the list.
3. Select 'Properties' entry from the User menu.
4. Check the "Account Disabled" check box.
For a Windows 2000 domain:
1. Start Active Directory Users and Computers Management Console (dsa.msc).
2. Look for the user in the domain.
3. Select the 'Properties' entry for the user.
4. Select the 'Account' Tab.
5. Check the "Account is disabled" check box.
For stand-alone Windows 2000 machines:
1. Start Local Users and Groups Management Console (lusrmgr.msc).
2. Open the User folder and select the User.
4. Select the 'Properties' menu for the user.
5. Select the 'General' Tab.
6. Check the "Account is disabled" check box.
For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019:
1. Start menu, select Run and then execute lusrmgr.msc
2. Open [Local Users and Groups] -> [Users] folder and select the User.
3. Select the 'Properties' menu for the user.
4. Select the 'General' Tab.
5. Check the "Account is disabled" check box.
To change the password
For Windows NT:
1. Open User Manager.
2. Select the user from the list.
3. Select 'Properties' entry from the User menu.
4. Type new password and confirm new password.
For a Windows 2000 domain:
1. Start Active Directory Users and Computers Management Console (dsa.msc) from a command prompt.
2. Open the Users folder and right-click the user Object.
4. Select "Reset Password".
5. Type new password and confirm password.
For a stand-alone Windows 2000 computer:
1. Start Local Users and Groups Management Console (lusrmgr.msc) from a command prompt.
2. Open the Users folder and right-click the user object.
4. Select "Set Password".
5. Type new password and confirm new password.
For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019:
1. Start menu, select Run and then execute lusrmgr.msc
2. Open [Local Users and Groups] -> [Users] folder and select the User.
3. Right mouse click on the user entry.
4. Select "Set Password".
5. Type new password and confirm new password. |
| Related URL |
CVE-1999-0506 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
