Hi Carl, >From where you performed your Nessus scan against this Windows host, anyone with network access to that system can log into it with a bogus account.
If this system is outisde of a firewall or reachable by just about anyone in your organization, this could be a serious problem for you. If you had to go through extraordinary effort to scan this box (plug in to a DMZ, get the IT guys to open firewall ports, .etc) this is something that should be fixed, but won't be as serious. If your system has any other vulnerabilities, such as a locally exploitable vulnerability, it may be possible for a remote user to connect with a guest account and then attempt to become an administrator. Of course, if the system isn't really hardened, a guest account might be all the access that a remote user would need to read files, install a backdoor, turn the system into a bot, launch attacks against other systems and so on. To verify that remote access is allowed by this host, you could try using the smbshell tool from Tenable: http://cgi.tenablesecurity.com/tenable/smbshell.php Keep in mind that Windows has many different types of access control for file access and program execution. The plugin said that it could log in. Your IT people may have put some level of security of hardening for 'Guest' users or they may not have. Ron Gula Tenable Network Security Nelson, C.M. wrote: > Hi, > > Plugin 26919 says: > > ........ > Synopsis : It is possible to log into the remote host. Description : The > remote host is running one of the Microsoft Windows operating systems. It was > possible to log into it as a guest user using a random account. > > In the group policy change the setting for 'Network access: Sharing and > security model for local accounts' from 'Guest only - local users > authenticate as Guest' to 'Classic - local users authenticate as themselves'. > / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) > ........ > > > Could someone explain what the significance or seriousness of this is? Does > it suggest a remote or local exploit is possible? If so what can be achieved > and how can I confirm that the report is correct? > > -- > Carl Nelson, > Information Security Office, > IT Services, > University of Leicester, Leicester, LE1 7RH, U.K. > Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027 > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
