Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

It is possible to obtain the host SID for the remote host, without
credentials.

Description :

By emulating the call to LsaQueryInformationPolicy(), it was possible
to obtain the host SID (Security Identifier), without credentials.

The host SID can then be used to get the list of local users.

See also :

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution :

You can prevent anonymous lookups of the host SID by setting the
'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:H/RL:U/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 56210 ()

Bugtraq ID: 959

CVE ID: CVE-2000-1200

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now