Check or Attack Name: NT Delete Records

The Simple Network Management Protocol (SNMP) can remotely delete records from a WINS server, bypassing all Windows NT security mechanisms.

WINS (Windows Internet Name Service) provides naming services in a fashion similar to the industry standard DNS (Domain Name Service). After a WINS client reboots, it will register with the WINS server. Until the client is registered, users of the client may not authenticate.

Deleting the WINS records remotely via SNMP prevents authentication from proceeding, and user logins and screen unlocks will not work.

Reboot the WINS client and disable or remove SNMP extension agents from this computer. If SNMP is required on a WINS server, choose a community name that is hard to guess, and configure SNMP to accept requests from specific hosts.

To disable SNMP, follow these steps:

1. Open the Network control panel. From the Windows NT Start menu, select Settings, Control Panel, Network.
2. Click the Services tab and select the SNMP service.
3. Click Remove and confirm the operation.

To change the SNMP community name and limit requests to specific hosts, follow these steps:

1. Open the Network control panel. From the Windows NT Start menu, select Settings, Control Panel, Network.
2. Click the Services tab and select the SNMP service.
3. Click Properties to display the SNMP Properties dialog box.
4. Under the Security tab, review the Accepted Community Names and verify that they are hard to guess.
5. Set Accept SNMP Packets from These Hosts.
6. Click Add.
7. Enter a host name, IP, or IPX address and click Add.
8. Repeat steps 6 and 7 for all authorized hosts.
9. Click OK.

BUGTRAQ Mailing List, "Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>, SNMP Insecurity, http://geek-girl.com/bugtraq/1997_4/0060.html