Rule:--Sid:5662--Summary:This rule generates an event when an attempt is made to access a registry key on a remote machine without adequate authentication.--Impact:Execution of arbitrary code leading to full administrator access of the machine. Denial of Service (DoS).--Detailed Information:A vulnerability in the way that Microsoft systems process authentication information may lead to a remote attacker being able to bypass restrictions and manipulate registry settings.The remote registry server does not properly handle malformed requests, if the service fails a remote attacker may be able to take control of an affected machines via the manipulation of the machine registry.--Affected Systems:Windows NT 4.0Windows NT 4.0 Terminal Server Edition--Attack Scenarios:An attacker would need to supply a malformed request to the remote registry service to cause the failure to authenticate. The attacker could then manipulate the registry.--Ease of Attack:Simple. Expoit code exists.--False Positives:None known.--False Negatives:None known.--Corrective Action:Apply the appropriate vendor supplied patches.Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall.--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <bmc@sourcefire.com>Matt Watchinski <matthew.watchinski@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--