- Charles "Rick" Brown
- NSS-P/SETA
- [EMAIL PROTECTED]
-1777 N. Kent Street, Rosslyn VA 22209
-(703) 588-6296
ISS,
this is a second attempt to get someone from your organization to please provide clarification as to what ISS Internet Scanner is indicating with the following vulnerability checks:
1) "Guest account has no required password".
A Guest account with no password required has been detected. An attacker could use this account to gain access to sensitive information.
2) "Domain User has no required password "
A Domain User account has been detected with no password required. No password requirement allows attackers unauthorized access to the host, including the ability to take over and replace processes, and access other computers on the network.
"Are these indications that no policy is present/enforced that requires that a password be implemented for these accounts, or is it indicating that a user account has been identified with a default, blank, or missing password as indicated in CAN-1999-0504...which is listed as a "Standards associated with this entry" on the ISS X-FORCE database page?
Standards associated with this entry:
CAN-1999-0504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>: A Windows NT local user or administrator account has a default, null, blank, or missing password.
Since there is a huge difference between our two aforementioned scenarios, we need your guidance to assure we are assigning the appropriate local risk level to them!
Regards
-----Original Message-----
From: Brown, Charles R Mr NSS-P/SETA
Sent: Friday, December 27, 2002 3:09 PM
To: 'ISS Technical Support'
Cc: Bendit, Diana; Fockler, Curtis; Kubinski, Joseph; McCarthy, Daniel; McKay, Mark; Price, Tony; Stamper, Mike; Wilson, Susan
Subject: "nt-guestnopw" clarification request
- Charles "Rick" Brown
- NSS-P/SETA
- [EMAIL PROTECTED]
-1777 N. Kent Street, Rosslyn VA 22209
-(703) 588-6296
ISS,
please provide clarification as to what ISS Internet Scanner is indicating with the following vulnerabilities:
"Guest account has no required password".
A Guest account with no password required has been detected. An attacker could use this account to gain access to sensitive information.
"Domain User has no required password "
A Domain User account has been detected with no password required. No password requirement allows attackers unauthorized access to the host, including the ability to take over and replace processes, and access other computers on the network.
Are these indications that no policy is present/enforced that requires that a password be implemented for these accounts, or is it indicating that a user account has been identified with a default, blank, or missing password as indicated in CAN-1999-0504...which is listed as a "Standards associated with this entry" on the ISS X-FORCE database page:
Standards associated with this entry:
CAN-1999-0504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>: A Windows NT local user or administrator account has a default, null, blank, or missing password.
Since there is a huge difference between our two aforementioned scenarios, we need your guidance to assure we are assigning the appropriate local risk level to them!
Regards
Charles "Rick" Brown - CISSP, MCP
Contractor (SETA)
ODIT&C
Network Security Auditor
Network Security Services-Pentagon (NSS-P)
PH: (703)-588-6296 FAX: (703)-588-8768
[EMAIL PROTECTED]
