| VID |
28033 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The system allows to cache the user's logon information.
The registry key "CachedLogonsCount" is used to determine how many user account entries Windows system saves in the logon cache on the local computer. If the value isn't zero("0"), it means that the system can save the data for any user account of the number of the "value data" in the logon cache.
In that case, if the user's domain controller is not available, the users can log on. While if the value is zero("0"), when the user's domain controller is not available and a user tries to log on a computer that dose not have the user's logon information, the system will display the following messages:
"The system cannot log you on now because the domain <Domain Name> is not available"
For best security practice, you should prevent the system from caching the user's logon information by setting this configuration appropriately.
* Registry Settings :
>> System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
>> Value Name: CachedLogonsCount
>> Data Type: REG_SZ (String Value)
>> Value Data: 0 - 50 (0 = disabled, 10 = default)
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/regentry/58528.asp
http://support.microsoft.com/default.aspx?scid=KB;en-us;q172931
* Platforms Affected:
Microsoft Windows 2000 or XP
Microsoft Windows NT |
| Recommendation |
Set the value data of the registry key appropriately.
1. Open your registry and find [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon].
2. Create a new DWORD value, or modify the existing value, called "CachedLogonsCount".
3. Set it to "0" to enable the restriction.
4. Exit your registry, you may need to restart or log out of Windows for the change to take effect. |
| Related URL |
CVE-1999-0535 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
2542,2543 (ISS) |
|
