4.7 Enumeration Countermeasures
Enumeration Countermeasures
- SNMP:
- Remove the SNMP agent or turn off the SNMP service
- If shutting off SNMP is not an option, then change the default community string name
- Upgrade to SNMP3, which encrypts passwords and messages
- Implement the Group Policy security option called "Additional restrictions for anonymous connections"
- Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted.
- DNS:
- Disable the DNS zone transfers to the untrusted hosts
- Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server
- Use premium DNS registration services that hide sensitive information such as HINFO from public
- Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks
- SMTP: Configure SMTP servers to:
- Ignore email messages to unknown recipients
- Not include sensitive mail server and local host information in mail responses
- Disable open relay feature
- LDAP:
- By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic
- Select a user name different from your email address and enable account lockout
- SMB:
- Disable SMB protocol on Web and DNS Servers
- Disable SMB protocol on Internet facing servers
- Disable ports TCP 139 and TCP 445 used by the SMB protocol
- Restrict anonymous access through RestrictNullSessAccess parameter from the Windows Registry