How do I prevent the use of tools like Hyena from gaining info

[Guest]

OK. Our IT Auditors just visted us and with a wealth of information
concerning our AD Domain Accounts, Member Server, info, etc. Fortunately, I
am friendly with one the Auditors and was able find out they obtained this
information. They obtained the information using a tool called "Hyena".
They were able to gather a lot of information with tool, with no elevated
user rights, just domain user accounts? My question is "How do I prevent
ordinary users from using such tools to gain information from our network?"
I find this to be serious security risk, in that anyone with access to our
network can get such information.

 

[Roger Abell]

The issue really is not one of preventing use of such tools, but
of determining which categories of information really do form
a risk by being available and then taking steps so that the system
does not make such info available to a plain user.

Going about it your way does nothing relative to the next tool,
or relative to someone that can script in Windows.

It is easy to react to seeing something like a list of all accounts
and thing this should not be. But what is the risk that it actually
poses? And, if one did, or could, block this what would be the
impact? Notice that one low power account could not easily
manage permissions on things like folders they share, or the
memberships in groups they have been delegated, etc. if they
are not able to list the accounts / query and pick the accounts.

Most information that a limit user has no business accessing
is or can be restricted from them.

 

[Srikrishna Komatineni]

My personnel observation when Microsoft remote registry service and Netbios
are running a user with even just guest rights can scan the network to get a
lot of information such as the shares,user id's, password policy,services
running etc....

 

[Roger Abell]

If you do not enable Guest account in your environment,
and use the policy settings to prevent anonymous logins
from enumerating account, groups, and shares, then you
will not have this problem.

 

[Hyena Support]

The other responders to this post were right-on in their excellent
replies.

As the developer of 'Hyena', I had a few other observations:

- Hyena only uses the built-in standard Windows functions to get
information. Chances are that the auditor could also have obtained
this information using Microsoft's tools, or any other 3rd party
administration tool.

- Everyone, especially the IT auditors, need to understand that
security does not involve limiting access to an application or utility,
but rather an understanding of what information a default user can
obtain and if it can be limited, the problems that limiting this
information can pose.

One post correctly pointed out that a list of user and group accounts
is needed to set security on a file/directory, which a normal end-user
may be able to do. A list of network shares is another thing that
normally any user can obtain.

A good way to determine any possible security holes and to be able to
see what rights and limitations a normal 'domain user' has is to run
'Hyena' under such an account.

Kevin Stanush
SystemTools Software Inc.
http://www.systemtools.com
Home of 'Hyena' for Windows Administration