Access Based Enumeration in Windows Server 2008

ABE filters shared folders visible to a user based on that individual user’s access rights, preventing the display of folders or other shared resources that the user does not have rights to access.

 

End users see only what files and folders they need for their responsibilities rather than spending time looking through lists of inaccessible folders and files. Administrators can be more productive because they do not have to help less-skilled users navigate through dense shared folders. Administrative inefficiencies can consume resources as surely as technical problems, and minimizing time-consuming problems help make any IT organization more productive.

 

ABE was introduced in Windows Server 2003 SP1 as an additional install, once installed you could manage ABE through a GUI, cmd-line tool or using the API's.

we  have ABE in Windows Server 2008 and we have a GUI where you can enable this. Let me explain to you how you do it:

1. Open the "Share and Storage Management" MMC and Provision a new share.

2. Follow all steps to create a share and when are at the SMB Settings window, which is shown below, click on the Advanced button.

3. In the Advanced window you are able to Enable or Disable ABE, by default it's enabled

.

So basically you don't have to do anything to enable ABE on you shares.  The screenshots above show you how you can create/provision a new share using the GUI. The ABE is also enabled if you create the share through the folder directly by right clicking onto the folder and select share. However if you create a share through the command prompt using the "net share" command it won't be enabled by default.

 

You can always enable / disable the ABE after you created the share by using the "Share and Storage Management" MMC just right click onto a share and hit the advanced button. So far I didn't found any cmd-line tool to enable or disable ABE.

  

DNS Changer Malware

It has been observed that a malware called as DNS Changer Trojan which changes the DNS server entries in the computer systems and ADSL /VoIP router (home gateway devices) is widely propagating.

The malware initially infects the Windows or Apple computers and subsequently gain access to routers connected to those systems to exploit weakness like default factory configurations, easily guessable passwords etc.

Once exploited or accessed, changes the DNS settings in the said computers and devices and make them point to rouge foreign DNS servers.

In a typical attack scenario, the unwitting users are enticed to download malware (similar to Trojan:BAT/Dnschanger.B ) which subsequently, tampers the Windows network settings (entry of DNS in the host file, adding a proxy in the browser settings) in the host computer and scans for the connected DSL devices and tries to login directly to the Admin interface to change the DNS settings in the routers. 

By achieving this, cyber criminals can control what sites the user connects on the internet. The following actions could be performed on infected system:

• Redirecting the intended queries to malicious servers and hence further downloading of malware , potentially unwanted programs or conducting phishing attacks  
• eavesdropping the user sessions 
• Man in the Middle attack (MITM)  
• Serving advertisements with the attackers choice  
• Prevent downloading operating system and Antivirus updates.

Confirming malware Infection

Check the local or ADSL / VoIP router DNS server settings against the identified rouge DNS servers: 

64.28.176.0 - 64.28.191.255 

67.210.0.0 - 67.210.15.255 

77.67.83.0 - 77.67.83.255  

93.188.160.0 - 93.188.167.255 

85.255.112.0 - 85.255.127.255 

213.109.64.0 - 213.109.79.255

(Note: Local DNS list can be found by using "ipconfig /all | findstr "DNS" in the windows command prompt. If found any suspicious entries, delete the entries and use ipconfig / flushdns to clear the previous entries Access the Router interface and check the DNS entries. Refer the owner’s manual for accessing and configuring the device.)

Check the windows/Apple system for entries related to malicious DNS servers  

Typical registry entry will be like:

  HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer = 93.188.161.105 

 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer = 93.188.166.105

  HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx  

Check the host file entries, proxy setting in the browser configuration in the local system for suspicious entries. Delete fraudulent entries if found. The below given steps locates the entries. On a Windows 7(Professional) box the local resolver or the host file is located in C:\Windows\System32\drivers\etc\hosts :

Locating the Proxy entries in the firefox (10 )browser Start the Browser, click the options >Advanced >Network and click on the Connection Settings.

DNS Changer "Eye Chart" Query to " http://www.dns-ok.us/ " that verifies legitimate DNS servers in use.

Tools

Anti-virus vendor AVIRA has released a DNS repair tool. This can be downloaded from here to clean infected system

If it is suspected that Router¿s credentials are changed in unathorised fashion, Reset the router settings and change the credentials for the modem's interface and reboot devices.

Countermeasures

Restrict Web Management Interface of Routers to authorized users and change default username/passwords

Report suspicious entries in Routers to your Internet Service Provider

Keep up to date Antivirus on the computer system

keep up-to-date on patches and fixes on the operating system and applications

References

http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

http://techblog.avira.com/2012/01/23/avira-dns-repair-tool-released/en/

http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0839

http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0882

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

How to Disconnect shared drives through Command Prompt

 Imagine that you browse through and connect to a share, entering your username and password to gain access.

The problem is that you stay connected, and there’s no visible way to disconnect yourself. If you try and shut down the other PC, you’ll receive a message that users are still connected. So let’s disconnect!

Open up a command prompt, and then type in the following:

net use

This will give you a list of the connected drives, including the ones that aren’t actually mapped to a drive letter. To disconnect one of the connections, you can use the following command:

net use /delete \\server\sharename

For example, in this instance we’d disconnect like so:

net use /delete \\192.168.10.100\root$

Now when you run the “net use” command again, you’ll see that you’ve been properly disconnected.

If you wanted to actually connect to a share without mapping a drive letter, you can do the following:

net use /user:Username \\server\sharename Password

You could then just pop \\server\sharename into a Windows Explorer window and browse the files that way. Note that this technique should work exactly the same in any version of windows.

   Syntax:

    NET USE /DELETE \\SERVER01

    OR

    NET USE /DELETE \\SERVER01\ADMINISTRATOR