Performance Monitor readable

Risk Level: Low risk vulnerability  Low

Check or Attack Name: perfmon
Platforms: Windows NT
Description:

Any member of the Users or Guest group can read the performance counters from the registry. Access to the performance counters is regulated by the permissions on the Software\Microsoft\Windows NT\CurrentVersion\Perflib registry key. Reading the performance counters can give an attacker considerable information regarding which applications a machine is running.
Remedy:

Perform the following procedures:

  • Disable the Guest account:

    1. Open the User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
    2. Select the Guest account from the list.
    3. From the User menu, select Properties to display the User Properties dialog box.
    4. Select the Account Disabled check box.
    5. Click OK.

  • Verify that the appropriate accounts have the Access the computer from the network user right. To prevent remote logon of a Windows NT user account:

    1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
    2. Select the user account from the list.
    3. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
    4. From the Right list, select Access this computer from network.
    5. From the Grant To list, select the user account from the list and click Remove.

  • Restrict registry access to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib key. Under Windows NT 4.0, registry access from the network can be denied completely. To restrict registry access:

    1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
    2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib registry key.
    3. From the Security menu, choose Permissions to display the Registry Key Permissions dialog box.
    4. Use these guidelines to review the listed permissions:
      • Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
      • Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
      • Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
      • Review any names that should not be in the list, and remove the name or change their permission as appropriate.

References:

Microsoft Knowledge Base Article Q146906, How To Secure Performance Data in Windows NT, http://support.microsoft.com/support/kb/articles/q146/9/06.asp
X-Force Logo
Know Your Risks