NTA Monitor

Latest News

Living with threats

1st August 2010 Back in 2004, Bill Gates predicted that spam would be a thing of the past within two years. As we all know now, and quite a lot of people predicted at the time, far from being a solved problem, the volume of spam has continued to increase. Read More

Web application security goes from bad to worse in many sectors

27th July 2010 NTA Monitor's 2010 Annual Web Application Security Report analysed the data gathered from web application security tests performed for a wide range of industry sectors over a 12-month period... Read More

IT Managers get to grips with Internet security issues

4th May 2010 According to NTA Monitor's 2010 Annual Security Report, the average number of Internet security vulnerabilities afflicting organisations has fallen.. Read More

Responsible Patching

1st January 2010 Microsoft's response to the "zero day" exploit that was used in the cyber attacks against Google shows that software vendors still have a lot to learn when it comes to responding to vulnerabilities. Read More

NT4 DNS flaw

Microsoft NT includes an Internet DNS (Domain Name Server) software component. However, NTA Monitor have now revealed that it leaks the identity of the NT administrator user, by inserting their name into domain responses.

Microsoft themselves recommend that the name of the administrator account should be changed by users away from the default, but with this flaw attackers can still find it out.

Because Windows allows remote login as the administrator, and permits unlimited login attempts, once an attacker knows the name of the admin account, they can attempt a brute force attack - the password being the only unknown.

Reference - Roy Hills of NTA Monitor's announcement 

>Date: Tue, 20 Jun 2000 17:16:18 +0100
>To: secure@microsoft.com
>From: Roy Hills {Roy.Hills@nta-monitor.com}
>Subject: NT DNS Server leaks administrator account name in SOA record
>
>Dear Microsoft Security Department,
>
>I've noticed that the Microsoft DNS server on NT Server 4.0 leaks the
>built-in administrator account name in the "contact" field of the DNS
>SOA record for all zones that it is authoritative for.
>
>For example, an DNS lookup for the SOA record of "domain.com" might
>give the following answer if the built-in administrator's account name is the
>default of "Administrator":
>
>domain.com.   86400 SOA  ns.domain.com. administrator.domain.com. (
>          2000062001  ; serial
>          7200   ; refresh (2 hours)
>          3600   ; retry (1 hour)
>          1209600   ; expire (14 days)
>          86400 )   ; minimum (1 day)
>
>If the administrator account name had been renamed from the default
>"Administrator" to "Hardman", the SOA record would be:
>
>domain.com.   86400 SOA  ns.domain.com. hardman.domain.com. (
>          2000062001  ; serial
>          7200   ; refresh (2 hours)
>          3600   ; retry (1 hour)
>          1209600   ; expire (14 days)
>          86400 )   ; minimum (1 day)
>
>Most NT security guides advise administrators to rename the built-in
>Administrator account to a hard-to-guess name.  However, if the NT server
>is acting as a DNS server using Microsoft DNS server software, it is possible
>to determine the name of the administrator account.
>
>It is possible to manually change the contact Email address in the SOA record
>to prevent this information leakage, but I guess that most people won't bother
>to do this and will leave it at the default.
>
>I've seen this behaviour on Windows NT Server 4.0 SP4 running the Microsoft
>DNS Server network service.
>
>Regards,
>
>Roy Hills
>NTA Monitor Ltd

This advisory was first released on 13th July 2000.