Vuln-ID 163 "Guest account has no required
password"
Status
- The description is not clear and leads to misunderstandings
Description
The vulnerability description of this Vuln-ID
leads to misunderstandings of the situation at the target system. A more
detailed explanation is necessary to understand the vulnerability
correctly.
The same problem does exist with the Vuln-IDs 161, 162, 1356, 1360
and 1363.
Impact
The names of the "has no password" checks can
be misleading. The account being reported has the "Allow blank password" option
enabled. The account may have a password assigned to it.
Note: The
setting allowing blank passwords is an account-level option, not a system-level
option. Windows does not provide a user interface for changing this setting. All
of the "has no password" checks are listed under the "NT Password Policy"
section in the Policy Editor. The "blank password" checks are listed under "NT
Password Checks."
Action
To verify if the account actually requires a
password follow the instructions below: From a command prompt on the computer in
question, type the following command:
net user {username}
If the
"Password Required" field has a value of "NO," then type the following command
to change the setting:
net user {username} /passwordreq:yes
After change of these settings the vuln is no more reported.
HTH.
With best Regards,
Tommy J�rgensen
-----Urspr�ngliche Nachricht-----
Von: Brown, Charles R Mr NSS-P/SETA [mailto:[EMAIL PROTECTED]]
Gesendet: Mittwoch, 15. Januar 2003 23:02
An: 'ISS Technical Support'; '[EMAIL PROTECTED]'
Cc: Bendit, Diana; Fockler, Curtis; Kubinski, Joseph; McCarthy, Daniel; McKay, Mark; Ortiz, Semone; Price, Tony; Stamper, Mike; Wilson, Susan
Betreff: [ISSForum] FW: "nt-guestnopw" clarification request- Charles "Rick" Brown
- NSS-P/SETA
- [EMAIL PROTECTED]
-1777 N. Kent Street, Rosslyn VA 22209
-(703) 588-6296
ISS,
this is a second attempt to get someone from your organization to please provide clarification as to what ISS Internet Scanner is indicating with the following vulnerability checks:1) "Guest account has no required password".
A Guest account with no password required has been detected. An attacker could use this account to gain access to sensitive information.2) "Domain User has no required password "
A Domain User account has been detected with no password required. No password requirement allows attackers unauthorized access to the host, including the ability to take over and replace processes, and access other computers on the network."Are these indications that no policy is present/enforced that requires that a password be implemented for these accounts, or is it indicating that a user account has been identified with a default, blank, or missing password as indicated in CAN-1999-0504...which is listed as a "Standards associated with this entry" on the ISS X-FORCE database page?
Standards associated with this entry:
CAN-1999-0504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>: A Windows NT local user or administrator account has a default, null, blank, or missing password.
Since there is a huge difference between our two aforementioned scenarios, we need your guidance to assure we are assigning the appropriate local risk level to them!Regards
-----Original Message-----
From: Brown, Charles R Mr NSS-P/SETA
Sent: Friday, December 27, 2002 3:09 PM
To: 'ISS Technical Support'
Cc: Bendit, Diana; Fockler, Curtis; Kubinski, Joseph; McCarthy, Daniel; McKay, Mark; Price, Tony; Stamper, Mike; Wilson, SusanSubject: "nt-guestnopw" clarification request
- Charles "Rick" Brown
- NSS-P/SETA
- [EMAIL PROTECTED]
-1777 N. Kent Street, Rosslyn VA 22209
-(703) 588-6296
ISS,
please provide clarification as to what ISS Internet Scanner is indicating with the following vulnerabilities:
"Guest account has no required password".
A Guest account with no password required has been detected. An attacker could use this account to gain access to sensitive information."Domain User has no required password "
A Domain User account has been detected with no password required. No password requirement allows attackers unauthorized access to the host, including the ability to take over and replace processes, and access other computers on the network.Are these indications that no policy is present/enforced that requires that a password be implemented for these accounts, or is it indicating that a user account has been identified with a default, blank, or missing password as indicated in CAN-1999-0504...which is listed as a "Standards associated with this entry" on the ISS X-FORCE database page:
Standards associated with this entry:
CAN-1999-0504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0504>: A Windows NT local user or administrator account has a default, null, blank, or missing password.
Since there is a huge difference between our two aforementioned scenarios, we need your guidance to assure we are assigning the appropriate local risk level to them!Regards
Charles "Rick" Brown - CISSP, MCP
Contractor (SETA)
ODIT&C
Network Security Auditor
Network Security Services-Pentagon (NSS-P)
PH: (703)-588-6296 FAX: (703)-588-8768
[EMAIL PROTECTED]
