SMB Guest Login

book

Article ID: 177856

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A user would like to know what the following message means: "[SID: 21545] SMB Guest Login detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe"

Symptoms
This signature detects users making attempts to connect to a share using the username credentials "Guest". The Guest account is disabled by default on most Windows installations.


Cause

Several vendors poorly apply the Windows access control model to their services. A common mistake is to assign the SERVICE CHANGE CONFIG permission indiscriminately to services. A normal, unprivileged user is a part of the Authenticated Users group, and, hence, a normal user can configure the executable and the account under which these services run. The SCM Manager API provides functionality to create a new service, change the service configuration of a service, etc. The SCM Manager is exposed remotely via the named pipe svcctl. Thus, it is possible for a user to connect to the target system as a "Guest" user and change the configuration settings for the weak service using the named pipe svcctl. Note: A user logged in as a Guest belongs to the "Authenticated Users" group.

Resolution

Verify that the "Guest" user account on the target system is not enabled.


References
Security Response: SMB Guest Login