| VID |
28623 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Security Event Log is set to be accessible by a user who has logged on the system with guest privileges or null session.
This enables the malicious attacker who has successfully logged on a computer with guest privileges or null session to read the important information about the system from the Security Event Log. The attacker could then use this information to implement additional exploits.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch06.mspx
http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_secinst.asp
http://is-it-true.org/nt/atips/atips28.shtml
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove network access rights for the Guest account.
1. Open Registry Editor. (From the Windows system Start menu, select Run, type regedit or regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key.
3. Set the value for "RestrictGuestAccess" entry to "1".
4. To apply the change, restart the system. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
121 (ISS) |
|
