| VID |
28036 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The system allows to display the Windows XP screen instead of the classic Windows NT/2000 format screen. The registry key "LogonType" is used to determine whether the Windows XP welcome screen or the classic Windows NT/2000 logon screen is shown when users access to the Windows XP. If the value is "1", the Windows XP welcome screen is shown and if it's "0", the classic Windows NT/2000 logon screen is shown. In the Windows XP screen case, when users first boot the machine, log off, or use fast user switching, the system displays a new XP welcome screen with the computer's local accounts. Then users can log on as one of these accounts. Due to the misconfiguration, an attacker can gain the valid list of users of the host and perform the further attackers using it. For preventing this information of the system, you should prevent the system from displaying the Windows XP welcome screen by setting this configuration appropriately.
* Registry Settings:
>> System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
>> Value Name: LogonType
>> Data Type: REG_DWORD (DWORD Value)
>> Value Data: (0 = Classic Mode, 1 = Welcome Screen)
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.winguides.com/registry/display.php/972
http://www.kellys-korner-xp.com/xp_wel_screen.htm
* Platforms Affected:
Microsoft Windows XP |
| Recommendation |
Set the value data of the registry key appropriately.
1. Open your registry and find [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon].
2. Create a new DWORD value, or modify the existing value, called "LogonType".
3. Set it to "0" to display the classic Windows NT/2000 format screen.
4. Exit your registry, you may need to restart or log out of Windows for the change to take effect. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
