lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00e201c5a375$8d5f2090$1a64110a@64DOG>
Date: Wed Aug 17 22:49:52 2005
From: listuser at seifried.org (Kurt Seifried)
Subject: Re: It's not that simple...

Actually it really is that simple. Disabling Null sessions is entirely 
possible, quite easy, and doesn't break a lot (at least in my previous 
testing years ago it didn't break anything noticeable). Can people please do 
a little research before posting emails with incorrect information or simple 
guesses/etc. Microsoft.com has a pretty good search engine now, there is of 
course google, and other resources as well. I suppose this is why I run a 
moderated subset of this list, less crap, more information.

For more in depth articles see the end of this posting.

===========

For a good description of how to disable them/etc:

http://mit.edu/pismere/support/for-cont-admins/null-session-info.html

"Settings in Windows 2000
Windows 2000 machines have a single registry value 
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous which controls 
this behavior. This is a DWORD value which be set to either zero (0), one 
(1), or two (2):

  a.. When RestrictAnonymous is set to 0 (or does not exist), no 
restrictions are placed on null sessions. This is the factory-default 
setting.
  b.. When RestrictAnonymous is set to 1, SAM accounts and shares cannot be 
enumerated by null sessions.
  c.. When RestrictAnonymous is set to 2, null sessions have no access 
without explicit anonymous permissions.
When you edit a group policy object from a Windows 2000 machine, there is a 
setting located under Computer Configuration/Windows Settings/Security 
Settings/Local Policies/Security Options called Additional restrictions for 
anonymous connections. If you enable this setting, you are given three 
choices, which cause the machines affected by the group policy object to set 
their HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous in the 
following way:
  a.. If you select "None. Rely on default permissions", affected machines 
set RestrictAnonymous to 0.
  b.. If you select "Do not allow enumeration on SAM accounts and shares", 
affected machines set RestrictAnonymous to 1.
  c.. If you select "No access without explicit anonymous permissions", 
affected machines set RestrictAnonymous to 2.
If you only have Windows 2000 machines in your container, this makes sense, 
because the machines affected by your group policy object will all behave 
appropriately when 
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous is set this way. 
Unfortunately, any Windows XP and Server 2003 machines in your container 
will also receive these registry settings, which may not be the effect you 
intended. "

===========

In depth (several pages) article on  "The NULL session and the Guest 
account"

http://www.microsoft.com/msj/0299/security/security0299.aspx

===========

An MSDN article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xeconreducenullsessionvulnerability.asp
"When a program or service is started by using the System user account, the 
service logs on with null credentials. This can be a potential security 
risk, because it allows for an unauthenticated log on to the system. A 
hacker or worm can exploit this vulnerability and potentially access 
sensitive data on the system.

The simplest way to reduce null session vulnerability is to disable NetBios 
and verify that ports 139 and 445 are closed.

However, if your run-time image requires NetBIOS, you can control null 
session access by editing the following registry key to restrict anonymous 
access to sensitive data:

Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Type: DWORD
Value: 0

The default value of this key is 0. Changing this value to 1 blocks 
enumeration of SAM and user accounts, and prohibits a null session from 
seeing user accounts and admin shares. A value of 2 disables null session 
access without explicit permissions. Changing this value to 2 may conflict 
with some applications that rely on null sessions.

After you change the registry data, reboot your run-time images and test 
your applications to verify that they work with restricted null session 
access."

===========

I think this should about cover it.

-Kurt Seifried
http://seifried.org/freescan2/
https://lists.seifried.org/mailman/listinfo/security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ