Threats to WINS Servers
A WINS server faces several threats that can result in compromised or unauthorized modifications of records in the WINS server database. These threats include the following:
Preventing replication between WINS servers
Registration of false NetBIOS records
Incorrect registration of WINS records
Modification of WINS configuration
Preventing Replication Between WINS Servers
The WINS database is a distributed database. Clients register their NetBIOS names with the first WINS servers listed in the client s TCP/IP properties. The WINS servers then replicate their portion of the WINS database with the other WINS servers on the network. If replication is prevented, a WINS client will not be able to reach any NetBIOS clients whose NetBIOS records are missing from their WINS server database. Replication can be prevented by denial-of-service attacks against the WINS server or by compromising the WINS servers, resulting in the modification of the WINS replication settings.
Registration of False NetBIOS Records
A WINS client will register its NetBIOS host and group records with its configured WINS server. If the record already exists in the WINS database, the WINS server will attempt to detect whether the current owner of the record exists on the network. If the previous client cannot be reached, a new client replaces the current record. An attacker can hijack the WINS database record by performing a denial-of-service attack against the current record holder. The denial-of-service attack prevents the previous client from responding to the WINS server s validation request.
Incorrect Registration of WINS Records
An attacker can register a computer record with the same name as a group record. For example, to block authentication with a domain named NWTRADERS, an attacker might attempt to register a host record with the name NWTRADERS. Although the names are technically different (one is a host name and the other is a group name), the existence of the host record will prevent registration of the domain record. This results in authentication failure for clients attempting to connect to the domain record.
Modification of WINS Configuration
If an attacker gains access to the WINS console with the appropriate permissions, she can modify the configuration of the WINS server. The attacker can modify the settings for WINS replication, add static WINS records, or remove valid WINS records and replace them with false WINS records.