Cadzow Knowledgebase


Welcome
Contact Us
Professional
Services

Consulting
Knowledgebase/
Site Search

Remote Support

Print Friendly

Preventing SMB Password Leakage to the Internet

August 2015 — A security issue has been identified in Windows whereby Active Directory credentials may be sent to hosts on the internet as a result of a malicious attack (or misconfiguration). Once a malicious party has a username, password hash and a source IP address, the hash could be decoded to the original plain text password and provide an attack on other Internet-facing assets, such as Outlook Web Access or Remote Desktop.

To mitigate exploitation of such an attack:

  1. Ensure user passwords are strong, unique and lengthy. This makes decoding the hash more difficult, and may mitigate dictionary attacks. Malicious third-parties may prioritise intrusions against systems where the passwords are weaker.

  2. On individual workstations, configure the firewall to drop SMB packets except on the local subnet:

    For Windows Vista and above, open an elevated command prompt and enter:

    netsh AdvFirewall Firewall set rule name="File and Printer Sharing (SMB-Out)" new remoteip=localsubnet
    netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Datagram-Out)" new remoteip=localsubnet
    netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Name-Out)" new remoteip=localsubnet
    netsh AdvFirewall Firewall set rule name="File and Printer Sharing (NB-Session-Out)" new remoteip=localsubnet

  3. Configure router to drop outgoing packets on ports 135-139 and 445.

Copyright © 1996-2019 Cadzow TECH Pty. Ltd. All rights reserved.
Information and prices contained in this website may change without notice. Terms of use.


Question/comment about this page? Please email webguru@cadzow.com.au