VERITAS Backup Exec "RestrictAnonymous" registry key set to zero

veritas-backupexec-restrictanonymous-zero (10093) The risk level is classified as MediumMedium Risk

Description:

Veritas Backup Exec for Windows used with Microsoft Exchange 2000 requires that the "RestrictAnonymous" registry key value be set to 0 in order to remotely backup the server, while Microsoft recommends that this value be set to 1 for proper security to be enabled. This setting causes the anonymous listing of the SAM database and all associated shared folders and files. A remote or local attacker could use this vulnerability to obtain sensitive information.

Platforms Affected:

  • Microsoft, Small Business Server 2000
  • Microsoft, Windows 2000 Datacenter Server
  • Microsoft, Windows 2000 Advanced Server
  • Microsoft, Windows 2000 Professional
  • VERITAS, Backup Exec 8.5

Remedy:

Upgrade to Backup Exec 8.6 or later, and manually set the "RestrictAnonymous" registry key value to 1. Refer to Veritas TechNote ID: 238618 for more information. See References.

Consequences:

Configuration

References:

  • BugTraq Mailing List, Fri Sep 06 2002 - 15:19:22 CDT , Veritas Backup Exec opens networks for NetBIOS based attacks? at http://archives.neohapsis.com/archives/bugtraq/2002-09/0052.html.
  • Veritas TechNote ID: 238618, Support for Exchange 2000 "restrictanonymous" key must be manually enabled under BENT v8.6.3808. at http://seer.support.veritas.com/docs/238618.htm.
  • Veritas TechNote ID: 239739, Backup operations of Windows 2000 servers fail with the error: "Unable to Attach to \\Server Name\System?State. The device cannot be found." when using Backup Exec version 8.6. at http://seer.support.veritas.com/docs/239739.htm.
  • CVE-2002-1117: Veritas Backup Exec 8.5 and earlier requires that the RestrictAnonymous registry key for Microsoft Exchange 2000 must be set to 0, which enables anonymous listing of the SAM database and shares.
  • OSVDB ID: 8230: VERITAS Backup Exec RestrictAnonymous Requirement SAM Information Disclosure

Reported:

Sep 06, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page