Vista security option changes to named pipe access

Poorly secured named pipes are a well known way for malicious hackers to infiltrate Windows networks. A hacker could take advantage of these named pipes by connecting to a Windows system as an anonymous user. With the advent of Windows XP, however, Microsoft has taken strides to reduce the risk that named pipes and anonymous users pose. Read about Vista's improved named pipe security in this excerpt from Mark Minasi's book, "Administering Windows Vista Security: The Big Surprises."

Windows Vista's little surprises
By Mark Minasi

Have a look inside Windows security guru Mark Minasi's latest book, Administering Windows Vista Security: The Big Surprises, with this excerpt from Chapter 1, "Administering Vista Security: The Little Surprises."

Named pipes are a way for programs to communicate among themselves. Years ago, most named pipes created by the operating system (OS) were poorly secured or not secured at all. Many hackers successfully attacked Windows systems through poorly-secured named pipes. One of the easiest avenues for these sort of attacks was by connecting as an "anonymous" user. This is a once-obscure but sadly now well-known way to connect to many Microsoft protocols and, as its name suggests, you needn't use a username and password to log in; you can, instead, remain anonymous.

While allowing anonymous users any access to a Microsoft network resource isn't a very good idea, the fact is that for backward compatibility purposes Windows still uses some anonymous connections. Microsoft's been slowly removing the anonymous user—if I recall right, the first code to reduce the power of "anonymous" was as far back as 1998 with NT 4.0 SP3—but it's still around, and Vista takes up cudgels to reduce its power—and threat—a bit further, in these changes in how named pipes handle anonymous users.

Windows has, since XP at least, had a Security Options setting called "Network access: Named Pipes that can be accessed anonymously." It lists a subset of the system's named pipes that you need the anonymous user to be able to access, and by default the group policy setting has included a bunch of stuff that doesn't really make sense:

  • COMNAP and COMNODE only appear on a server running Microsoft's gateway software for talking to an IBM mainframe, their "Host Integration Server" (HIS). To the best of my knowledge, it's not possible to run HIS on any of Microsoft's desktop OSs.
  • SQLQUERY would appear on a system running Microsoft SQL Server or its equivalent. It's possible that a Vista system might be running SQL Server Express 2005— although not possible, I am told, to run its predecessor, Microsoft Desktop Engine (MSDE)— but not likely.
  • LLSRPC appears only on servers running the Licensing Service. Why Microsoft would want anonymous people accessing the Licensing Service is a puzzle, and in no case would it appear on a desktop OS.
  • BROWSER allows a system to act as either a master browser or backup browser on a subnet; this pipe is how the master and backup browsers talk. If the backup and master browser on a given subnet are not members of the same forest, then they need to be able to anonymously access the BROWSER named pipe so that the master browser can send the backup browser a copy of the segment's browse list. Microsoft has kept BROWSER in the list of named pipes that can be accessed anonymously because of that case where a workgroup might have backup and master browsers. In any case, the chances that it's a desktop OS are small, but not impossible; one could imagine a small home workgroup built entirely of Vista systems. But in that case we'd probably be talking about a single segment, where broadcasts could handle any name resolution needs.

Vista's default setting for "Network access: Named Pipes that can be accessed anonymously" removes all of those named pipes, leaving just one: SPOOLSS. That works with the print spooler, and that's a server role that is quite common for desktop OSes.

Why did Microsoft have so many silly named pipes in XP's default set of group policy settings? They were just saving themselves a little trouble by creating a set of defaults that they could apply both to server OSs and workstation OSs. With Vista, it looks as though that's no longer true, and the desktop has gotten its own set of settings. also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, "Mastering Windows Server 2003 Upgrade Edition for SP1 and R2."

Mark Minasi is a best-selling author, commentator and all-around alpha geek. Mark is best known for his books in the Mastering Windows series. What separates him from others is that he knows how to explain technical things to normal humans, and make them laugh while doing it. Mark's firm, MR&D, is based in Pungo, a town in Virginia's Tidewater area that is distinguished by having one -- and only one -- traffic light.
Copyright 2005 TechTarget

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.