RedButton Remote Registry

A new program was released this weekend that allows ANYONE with remote access to an NT server (using ports 137, 138, and 139) to connect to that machine, read the registry, and create a new share accessible to the Everyone group. This is a SERIOUS problem that should be guarded against at all costs. A quick test of this new RedButton program shows that it does in fact connect to a remote NT system.

Administrators should seriously consider blocking access to ports 137, 138, and 139 on any machines exposed to the Internet. You can also stop the Server service to protect yourself, although doing so eliminates the ability for that server to share resources.

Another consideration is to edit the Registry as follows:

1. Open HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers
2. Create a key called winreg (if it doesn"t exist)
3. Set the security on it however you like, but don"t give the Everyone group access - but don"t define Everyone with NO ACCESS either as this locks out all accounts.
4. Reboot the system

RedButton was released by MWC, security consultants, who are maintaining a Web page about the new RedButton software at http://www.ntsecurity.com/redbutton. NOTE: This Web address is ntsecurity.com - not associated with NTSD or ntsecurity.net. We are not responsible for content at thier site.

RedButton will:
* logon remotely to a target computer without presenting a username and password
* gain access to the resources available to the Everyone group
* determine the current name of built-in Administrator account
* read several registry entries and display the information
* list all shares - even hidden shares

Download a test version of RebButton from MWC

Microsoft released a HOTFIX for the RedButton problems on May 3, 1997. Be CERTAIN to read the Knowledge Base articles and README files in the distribution directory - this software hotfix installs itself without warning so be careful to understand it completely before proceeding.