SMB Guest Login
Article ID: 177856
Updated On:
Products
Endpoint Protection
Issue/Introduction
A user would like to know what the following message means: "[SID: 21545] SMB Guest Login detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe"
Symptoms
This signature detects users making attempts to connect to a share using the username credentials "Guest". The Guest account is disabled by default on most Windows installations.
Symptoms
This signature detects users making attempts to connect to a share using the username credentials "Guest". The Guest account is disabled by default on most Windows installations.
Cause
Several vendors poorly apply the Windows access control model to their services. A common mistake is to assign the SERVICE CHANGE CONFIG permission indiscriminately to services. A normal, unprivileged user is a part of the Authenticated Users group, and, hence, a normal user can configure the executable and the account under which these services run.
The SCM Manager API provides functionality to create a new service, change the service configuration of a service, etc.
The SCM Manager is exposed remotely via the named pipe svcctl. Thus, it is possible for a user to connect to the target system as a "Guest" user and change the configuration settings for the weak service using the named pipe svcctl.
Note: A user logged in as a Guest belongs to the "Authenticated Users" group.
Resolution
Verify that the "Guest" user account on the target system is not enabled.
References
Security Response: SMB Guest Login
References
Security Response: SMB Guest Login
Feedback
Yes
No
Powered by
