GEN:SID | 1:2983 |
Message | NETBIOS SMB-DS ADMIN$ unicode andx share access |
Summary | This event is generated when an attempt is made to access the ADMIN$ administrative share of a Windows host.
|
Impact | Serious. Possible administrator access to the host. Information disclosure.
|
Detailed Information | By default, Windows hosts have default administrative shares of the local hard drives using the format %DRIVE_LETTER% + $. Anybody with administrative rights can remotely access the share.
|
Affected Systems | Windows hosts.
|
Attack Scenarios | An attacker may be attempting to access files located on the C drive of the host.
|
Ease of Attack | Simple.
|
Corrective Action | Disallow Netbios access from external networks (tcp port 139).
|
Additional References | Arachnids: http://www.whitehats.com/info/IDS339
Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;100517
|