| VID |
28017 |
| Severity |
20 |
| Port |
139 |
| Protocol |
TCP |
| Class |
RAS |
| Detailed Description |
Remote Access Service (RAS) is detected. RAS lets remote users dial into a Windows NT/2000 RAS server through a modem port and use the resources of its network as if directly connected.
A User on your network could be using RAS to gain access to your network from a remote location. This could provide an entry point which can bypass required security mechanisms to attackers.
* Note: This check requires an account with Guest or upper privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.iss.net/security_center/static/16.php
http://www.att.com/isc/docs/war_dial_detection.pdf
* Platforms Affected :
Microsoft Windows Any version |
| Recommendation |
Disable Remote Access Services (RAS) if it is not needed, or configure RAS to disallow incoming calls.
If it is an approved RAS host, you have to use the machine after configuring it securely. E.g., RAS can be configured to establish a connection only by automatically "calling-back" a user, this ensures you know the telephone# of the User that is gaining access via this RAS host.
* Stop or disable Remote Access Services.
For Windows NT, to stop or disable a service:
1. Open the Services control panel. From the Windows NT Start menu, select Settings, Control Panel, Services.
2. Select the service from the list.
3. Click Stop.
4. When the service has stopped, click Startup, and choose one of these options:
o To permanently disable the service, click Disabled.
o To turn the service off unless manually activated by the user or a program, click Manual.
5. Click OK, then click Close.
For Windows 2000, to stop the Routing and Remote Access service:
1. From the Start menu, select Programs, Administrative Tools, Services, Routing and Remote Access.
2. Select the service from the list.
3. Click Stop.
4. When the service has stopped, click Startup, and choose one of these options:
o To permanently disable the service, click Disabled.
o To turn the service off unless manually activated by the user or a program, click Manual.
5. Click OK, then click Close.
1. Go to Start menu -> Run and Type 'services.msc'
2. Select 'Routing and Remote Access'.
3. Click Stop.
4. When the service has stopped, click Startup, and choose one of these options:
o To permanently disable the service, click Disabled.
O To turn the service off unless manually activated by the user or a program, click Manual.
5. Click OK, then click Close.
-- AND --
From the Network control panel, remove Remote Access Services from the computer.
For Windows NT, to remove a network service:
1. Open the Network control panel. From the Windows NT Start menu, select Settings, Control Panel, Network.
2. Click the Services tab.
3. Highlight the service you want to remove.
4. Click Remove and confirm the removal.
5. Click OK to close the Network control panel.
-- OR --
* If RAS is required, disallow the dial-in option. This action does not remove the vulnerability, but it does make RAS somewhat safer from incoming connections.
For Windows NT, to disable dial-in for RAS:
1. Open the Network control panel. From the Windows NT Start menu, select Settings, Control Panel, Network.
2. From the Services tab, select Remote Access Services.
3. Click Properties.
4. Select the communication device you want to configure.
5. Click Configure.
6. Set the Port Usage to Dial Out Only and click OK.
7. Repeat steps 4 to 6 for other communication devices.
For Windows 2000 Server, to disable dial-in for RAS:
1. From a command prompt, start rrasmgmt.msc (Routing and Remote Access management console).
2. Click on the RAS server of interest.
3. Right-click on the Ports sub-configuration option, and then select Properties.
4. Click the Devices tab, and then select the communication device you want to configure.
5. Click Configure.
6. Clear the Remote access connections (inbound only) checkbox.
7. Repeat steps 4 to 6 for other communication devices. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
