[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00e201c5a375$8d5f2090$1a64110a@64DOG>
Date: Wed Aug 17 22:49:52 2005
From: listuser at seifried.org (Kurt Seifried)
Subject: Re: It's not that simple...
Actually it really is that simple. Disabling Null sessions is entirely
possible, quite easy, and doesn't break a lot (at least in my previous
testing years ago it didn't break anything noticeable). Can people please do
a little research before posting emails with incorrect information or simple
guesses/etc. Microsoft.com has a pretty good search engine now, there is of
course google, and other resources as well. I suppose this is why I run a
moderated subset of this list, less crap, more information.
For more in depth articles see the end of this posting.
===========
For a good description of how to disable them/etc:
http://mit.edu/pismere/support/for-cont-admins/null-session-info.html
"Settings in Windows 2000
Windows 2000 machines have a single registry value
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous which controls
this behavior. This is a DWORD value which be set to either zero (0), one
(1), or two (2):
a.. When RestrictAnonymous is set to 0 (or does not exist), no
restrictions are placed on null sessions. This is the factory-default
setting.
b.. When RestrictAnonymous is set to 1, SAM accounts and shares cannot be
enumerated by null sessions.
c.. When RestrictAnonymous is set to 2, null sessions have no access
without explicit anonymous permissions.
When you edit a group policy object from a Windows 2000 machine, there is a
setting located under Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options called Additional restrictions for
anonymous connections. If you enable this setting, you are given three
choices, which cause the machines affected by the group policy object to set
their HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous in the
following way:
a.. If you select "None. Rely on default permissions", affected machines
set RestrictAnonymous to 0.
b.. If you select "Do not allow enumeration on SAM accounts and shares",
affected machines set RestrictAnonymous to 1.
c.. If you select "No access without explicit anonymous permissions",
affected machines set RestrictAnonymous to 2.
If you only have Windows 2000 machines in your container, this makes sense,
because the machines affected by your group policy object will all behave
appropriately when
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous is set this way.
Unfortunately, any Windows XP and Server 2003 machines in your container
will also receive these registry settings, which may not be the effect you
intended. "
===========
In depth (several pages) article on "The NULL session and the Guest
account"
http://www.microsoft.com/msj/0299/security/security0299.aspx
===========
An MSDN article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xeconreducenullsessionvulnerability.asp
"When a program or service is started by using the System user account, the
service logs on with null credentials. This can be a potential security
risk, because it allows for an unauthenticated log on to the system. A
hacker or worm can exploit this vulnerability and potentially access
sensitive data on the system.
The simplest way to reduce null session vulnerability is to disable NetBios
and verify that ports 139 and 445 are closed.
However, if your run-time image requires NetBIOS, you can control null
session access by editing the following registry key to restrict anonymous
access to sensitive data:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Type: DWORD
Value: 0
The default value of this key is 0. Changing this value to 1 blocks
enumeration of SAM and user accounts, and prohibits a null session from
seeing user accounts and admin shares. A value of 2 disables null session
access without explicit permissions. Changing this value to 2 may conflict
with some applications that rely on null sessions.
After you change the registry data, reboot your run-time images and test
your applications to verify that they work with restricted null session
access."
===========
I think this should about cover it.
-Kurt Seifried
http://seifried.org/freescan2/
https://lists.seifried.org/mailman/listinfo/security
Powered by blists - more mailing lists