Landing input method vulnerability
Here we first introduce a login error, which is often the input method of input method. When we start the Windows 2000 to log in to the prompt interface, any user can open a help bar of various input methods, and you can use some of these functions to access the file system, which means we can bypass Windows2000 users. Log in to the verification mechanism and access the entire system with the highest administrator privilege. Therefore, this vulnerability is very harmful, and when we enter the system, you can use the Terminal Server remote communication. This vulnerability attacks the system. The default Windows2000 system comes with this vulnerability in the input method: intelligent ABC, Microsoft Pinyin, internal code, full fight, double fight, Zheng code. So I feel that this vulnerability is the leak of the primary repair.
1. Delete the unwanted input method, such as Zheng code, etc.
2, but after all, we cannot delete all the own input methods. If we want to use a vulnerability input method, you can delete the help file of that input method. These help files typically in the HELP directory of Win2000 installation (eg: c: winnt), the corresponding help file is:
※ Winime.chm input method operation guide
※ Winsp.chm double spelling method help
※ Winzm.chm Zheng code input method help
※ Winpy.chm full spelling method help
※ WINGB.CHM internal code input method help
3, Microsoft has released the MS00-069 security announcement for this issue and gives a patch of Simplified Chinese Windows2000 and English WINDOWS2000 on the Internet. So please patch your patch as soon as possible.
NetBIOS information leakage
Next, let's talk about NetBIOS sharing invasion. This problem has never resolved from NT just released. And it has always been the most common intrusion of the NT system architecture. It is particularly worth mentioning that the IPC $ Null Session is known in the NT system. Although the SP3 can be restricted by modifying the registry. But I don't know why Windows2000 is still inoperable, I keep this empty dialogue. Then let's take a look at the empty session to bring what information to the invader:
NET USE / ServerIPC $ "/ user:" // This command is used to create an empty box
Net View / Server / / This command is used to view the shared resources of the remote server
Server Name Comment
-------------------------------------------------- -----
/ PC1
/ PC2
The command successfully completed.
The NET TIME / Server // This command is used to get the current time of a remote server.
NBTSTAT -A Server // This command is used to get the NetBIOS user name table of the remote server
Netbios Remote Machine Name Table
Name Type Status
---------------------------------------------
Null <00> Unique registered
Null <20> Unique Registered
Internet <00> Group register
Xixi <03> unique registered
INET ~ Services <1c> Group registered
Is ~ null ...... <00> Unique registered
Internet <1e> Group registered
Administator <03> Unique RegisteredInternet <1D> UNIQUE Registered
..__ msbrowse __. <01> Group registered
Mac address = 00-54-4f-34-d8-80
Look, just have used the commands that have been brought by several systems, so we have any way to get someone else to get so much information?
Only by simple modification registration table is once again.
HKEY-LOCAL_MACHINESYSTEMCURRENTCONTROSETCONTROLLLSA
Value Name: Restrictanonymous
Data Type: REG_DWORD
Value: 1
But if you don't need to open sharing. Then why not ban it? The method and NT4 in Windows2000 are slightly different. It does not limit TCP / IP bindings on Netbiso, but we can select advanced (V) options in the setup panel of the Internet Protocol (TCP / IP) property, then select TCP / IP filtering, then click to enable TCP / IP filtering Finally, only the TCP port is selected, and then you can add the port you want to open.